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CYBERSECURITY: PREPARING FOR AND 
RESPONDING TO THE ENDURING THREAT 


WEDNESDAY, JUNE 12, 2013 

U.S. Senate, 

Committee on Appropriations, 

Washington, DC. 

The committee met at 2:02 p.m., in room SD-G50, Dirksen Sen- 
ate Office Building, Hon. Barbara A. Mikulski (chairwoman) pre- 
siding. 

Present: Senators Mikulski, Leahy, Murray, Feinstein, Durbin, 
Landrieu, Pryor, Tester, Udall, Merkley, Shelby, Cochran, Collins, 
Coats, Johanns, and Boozman. 

OPENING STATEMENT OF SENATOR BARBARA A. MIKULSKI 

Chairwoman Mikulski. This afternoon I am opening a hearing 
on cybersecurity. We are going to examine the efforts to protect the 
American people from cyber threats, to protect our domains of dot- 
mil, dot-gov, and dot-com. We need to make sure that the American 
people know what our programs are, know what we are spending 
our money for, and also to make sure that we make wise use of 
taxpayer dollars so that there are no techno-boondoggles. We hope 
to make sure we know how to help the private sector and to protect 
dot-com by real-time information-sharing about threats and helping 
the private sector develop the secure technologies we need. We 
need to prevent hackers, nation-states, and criminals from stealing 
our cyber identities, cyber espionage, cyber sabotage against our 
online commerce or our critical infrastructure, track and disrupt 
the hackers, and prosecute them when possible. 

I have two goals for this hearing. 

First, I want to make sure that we protect the American people 
from cyber threats by working together across the Government to 
protect, as I said, the domains of dot-mil, dot-gov, and dot-com. 

Second, I want to examine how agencies will use cybersecurity 
funding in the budget. The administration is requesting more than 
$13 billion for fiscal year 2014. In this very stringent environment, 
we are concerned about techno-boondoggles. The Government is 
often very good at spending money, but we need to make sure we 
spend the money well. Over the years, there have been failures and 
inefficiencies in Government IT programs, and we do not want that 
to happen as we move forward in this cyber domain. 

I called this hearing as the full committee chairwoman to work 
across the subcommittees to make sure there are not stovepipes, to 
make sure, as we look at this, the questions that we have related 
to governance, are we developing the right technologies to protect 
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us, are we investing in the workforce we need, and how do we pro- 
tect our civil liberties. 

I am so proud of my subcommittee chairs. I want to acknowledge 
the work of Senator Durbin and the Ranking Member Cochran on 
Defense. I want to acknowledge the work of Chairwoman Landrieu 
and her ranking member, Senator Coats, both with a great deal of 
expertise. For me, we will have the Federal Bureau of Investigation 
(FBI) and National Institute of Science and Technology (NIST), and 
my great vice chairman, Senator Shelby. 

This is a committee that is loaded with talent in this area, com- 
ing with enormous expertise from the authorizing committee. We 
have Senator Leahy from the Judiciary Committee, well versed on 
the issues of law on cybersecurity and a staunch protector of our 
civil liberties. We have Chairwoman Feinstein on the Intelligence 
Committee. From Armed Services, we have Reed, Shaheen, 
Graham, and Blunt. We have the former Chair of the Homeland 
Security Committee, Senator Collins, herself now a member of the 
Intelligence Committee. Rarely has a committee had so much tal- 
ent coming together from both those of us from appropriations as 
well as the authorizers. 

I hope that our country has a sense of urgency. We are already 
under attack. This is the new, enduring war. We are in a cyber war 
every day. Every time someone steals our identity, steals our State 
secrets or our trade secrets, we are at war. We now see the growing 
nexus between cyber criminals and nation states hacking our net- 
works, planning disruptions of our business operations. Director 
Mueller of the FBI said that cyber crime will eventually surpass 
terrorism as our number one threat to America. Secretary Hagel 
and General Dempsey continue to warn us against cyber as an in- 
sidious threat. These are such critical concerns that President 
Obama, in his recent meeting with the Chinese President, raised 
cybersecurity as one of our great, great international tensions be- 
tween both countries. 

Now, last year, we tried to pass cybersecurity legislation. We all 
worked on a bipartisan basis. It was actually under the Collins- 
Lieberman bill. But it did not happen. The President has issued an 
Executive order. But just because authorizing has not happened 
does not mean that nothing is happening. 

So in February, the President signed his Executive order, and it 
improves real-time information sharing, protects critical infrastruc- 
ture, provides critical infrastructure in cyber risk, and brings pri- 
vate sector experts into the Federal service. 

Each one of these goes through a different subcommittee, but 
here today we are going to do something pretty different. And I 
bring to your attention the President’s fiscal year 2014 budget on 
the areas of cybersecurity. This will be the first time in one place 
that we can look across all of the areas to make sure we know 
what the request is, what they are not only in individual agencies, 
but do we get the synergistic effect necessary to protect our coun- 
try. It is significant that this document that you all have, which 
is a public document, that we have in one place, a one-stop shop, 
really what the President is requesting. 

The President of the United States in his budget message to the 
Congress has asked for $13 billion in order to execute the 
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cybersecurity strategy across the agencies of the Federal Govern- 
ment. The purpose of this hearing today is to look at the 
cybersecurity threat, not every program from the National Security 
Agency (NS A), not every program being run by Homeland or the 
Department of Justice or the great work being done by NIST. It is 
to focus on the cybersecurity. 

But it is a committee first and I might say a Senate first. No 
other committee has tried to hold a hearing across the different do- 
mains, agencies, and smokestacks, and also to do it in an open, 
public way. 

And the expertise, as I said, here from both the subcommittee 
chairs and the authorizing is stunning. So we know that we are 
going to be able to do it. 

The President has asked for $13 billion: $9.3 billion for the De- 
partment of Defense (DOD), $1.3 billion for the Department of 
Homeland Security (DHS), $670 million for the Department of Jus- 
tice (DOJ), primarily the Federal Bureau of Investigation, and the 
National Institutes of Standards and Technology, $215 billion — 
$215 million. NIST has never seen $215 billion. That is the defense 
guys. 

Today we will hear from our Government’s lead people on this: 
General Alexander, the Director of the National Security Agency 
and the head of Cyber Command; Rand Beers, the Acting Deputy 
Secretary of Homeland Security; Dr. Gallagher, the Acting Deputy 
Secretary of Commerce but the Director of NIST; and Richard 
McFeely, the FBI Executive Assistant Director in charge of the 
Criminal, Cyber, and Response, and Services Branch. 

I also want to acknowledge that in the last several days many 
intelligence issues have been in the press, and I understand that 
these are issues that are very much on the public’s mind and Mem- 
bers of the Senate. 

Last week, in my Commerce, Justice hearing with the Attorney 
General, this topic of particularly our surveillance program came 
up. I pledged to Senator Shelby, a former Chair of the Intelligence 
Committee, well versed on the topic, not of the surveillance but on 
this, that we would have a full committee hearing on that par- 
ticular program. That is not today. That is for another day. 

I understand that our colleague, Senator Chairwoman, the Chair 
of the Intelligence Committee, has scheduled a briefing for all Sen- 
ators tomorrow. And this is the second hearing that Senator Fein- 
stein has opened up the Intelligence Committee for a briefing for 
all Senators to be able to participate. After the Feinstein meeting 
tomorrow, if Senator Shelby continues to recommend that this com- 
mittee hold a hearing on this matter, I will be happy to comply, 
and I pledge that to you, sir. I did last week and so on. But we 
will see if it is necessary, and if deemed so, we certainly will. 

So, again, today’s hearing will focus on the cyber threat, pro- 
tecting the American people, protecting the taxpayer in their role 
as both citizen and taxpayer. I hope today’s hearing will focus on 
this very important issue, and I say to my colleagues this is a com- 
mittee hearing that is a first. It will be not the last on this topic 
or other matters related to our national security. 
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I now want to turn to my ranking member, Senator Shelby, who 
has been active on this matter, the vice chairman of the committee, 
former Chair of the Intelligence Committee. Senator Shelby. 

STATEMENT OF SENATOR RICHARD C. SHELBY 

Senator Shelby. Thank you, Madam Chair. 

As you have pointed out, this is a very important hearing on a 
topic that demands significant congressional involvement. The 
cyber threat, as we all know, is increasing and becoming more chal- 
lenging as our adversaries grow bolder and more capable. We have 
seen recent and stark reminders of the threat with constant cyber 
attacks on the financial sector, the Chinese hacking of the New 
York Times and Wall Street Journal, Iranian attacks against a 
Saudi oil company, and reports that information on our most ad- 
vance weapons systems were stolen by the Chinese. 

Earlier this year, an information security company publicly re- 
ported that Chinese attackers are running an extensive cyber espi- 
onage campaign with the likely support of the Chinese Govern- 
ment. More recently, the same company exposed Iranian hacking 
in the United States. 

These troubling developments remind us of how urgently we 
need a coordinated effort to counter and to respond to these at- 
tacks. 

Madam Chair, this committee may be the only one with jurisdic- 
tion over the full complement of Government organizations in- 
volved in cybersecurity. Therefore, as you pointed out, I think it is 
appropriate that we take a lead role in the oversight of this effort, 
working with others. I would like to hear, for example, how each 
of you today perceive the threat and about your continuing efforts 
to protect critical infrastructure against attack and to address the 
cyber threat outside the recently issued Executive order. 
Cybersecurity is an immediate priority, but the framework envi- 
sioned in the Executive order will take time to develop and prob- 
ably even longer to implement. 

There are still areas that need more attention and may require 
legislation, such as information sharing. Additionally, the working 
relationship between the Government and the private sector is still 
a work in progress. Funding requirements also remain unclear in 
this time of fiscal uncertainty. Clearly, a lot needs to be done. 

I look forward today to hearing from our panel of witnesses and 
perhaps they can suggest some of the best ways to protect Govern- 
ment systems and information as you partner with industry to 
strengthen our cyber infrastructure across the board. 

Thank you, Madam Chair. 

Chairwoman Mikulski. Thank you, Senator. 

Now we will turn to our witness panel, and then we will go to 
questions, starting with myself and Senator Shelby and then the 
regular order that we follow in the order of arrival. 

I would like to suggest that General Alexander go first, followed 
by Mr. Beers, Mr. McFeely representing Justice, and Dr. Gallagher, 
you are the wrap-up guy. General Alexander, the microphone is 
yours. 
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STATEMENT OF HON. GENERAL KEITH B. ALEXANDER, COMMANDER, 
U.S. CYBER COMMAND; DIRECTOR, NATIONAL SECURITY AGEN- 
CY; CHIEF, CENTRAL SECURITY SERVICE 

General Alexander. Senator, thank you very much. 

I think what you and Senator Shelby have pointed out with re- 
spect to cyberspace is absolutely important for us to discuss. The 
threats that we face today continue to grow. 

You know, it takes, for the Government, a team to work this. So 
before I go any further, I do want to point out that the team is 
here, and it is great to be part of that team because no one Govern- 
ment department or agency can do it itself. For us, it is going to 
take the partnership between DHS, between the FBI, and with the 
support of NIST especially on the Executive order that Senator 
Shelby brought up for us to work together. 

You know, when I look at what is going on in cyberspace and the 
capabilities that are growing, this is an incredible opportunity for 
us as a Nation and for nations around the world. The technical ca- 
pabilities that we have when you look at what our children are 
using, the iPhones, the iPads, the ability for education — this is a 
tremendous time. When we look at what we can do with this with 
respect to medical care in the future, it is a bright future for us, 
but it is complicated by the fact of cyber espionage, by cyber hack- 
ing, and the threats that Senator Shelby talked about. So I do want 
to hit on that. 

You mentioned the evolution of this threat, and when you look 
at the threat as it has gone forward, some of the things that FBI 
and we see in the Department of Homeland Security work every 
day is a series of exploitations into our networks. The issue is how 
do you fix that. And that issue is complicated by the fact that it 
is not only exploitations that are going on, but we are seeing dis- 
ruptive attacks against our Nation’s infrastructure, Wall Street, 
with a potential for destructive attacks. 

We as a Nation need to step forward and say how are we going 
to work this. The Government team that is here today cannot do 
it without support from industry. We have to have some way of 
working with industry because they own and operate the bulk of 
our Nation’s infrastructure. But we have to do it in a transparent 
way, in a legal way, and we really appreciate the efforts of many 
on this panel, Senator, for what you and others have done to try 
to move that legislation along. But we do need to get there. We do 
need to have a way of working with industry. And Dr. Gallagher 
I know will talk about parts of this. We could not have a better 
person to lead it from NIST. So thanks for what you and the team 
are doing. We do need to begin that dialogue with industry. So part 
of what the Executive order does is give us that opportunity to 
have that dialogue. 

At the same time, we have to look at what we need in legislation 
and get that moving forward. So, Senator, thanks for what you and 
the Intelligence Committee are doing to move that and others. 

From my perspective, Senator, you asked what is it that we need 
to do. I think there are five key things that we are working on. 

First, we have to create a defensible architecture. Both the Intel- 
ligence Community and the Defense Department are moving for- 
ward on what we call the “cloud architecture,” a joint information 
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environment for the Defense Department and the intel commu- 
nity’s IT environment, the same thing for both communities moving 
forward to what is a more defensible architecture. And I think we 
need to move there. So that is the first thing. 

Second, we need to be able to see what is going on in cyberspace 
so that we can work with industry and amongst ourselves because 
getting information after an attack only allows us to police it up. 
We have to have some way of stopping it while it is going on. So 
we need to be able to see it. 

We need a concept for operating in cyberspace not just within the 
Defense Department, but amongst all three of us because we all 
have a role in this, and we all play vital roles, from the Depart- 
ment of Homeland Security’s role for recovery and working with 
commercial industry to the FBI’s law enforcement and investiga- 
tive things to the Defense Department’s responsibility to defend the 
Nation. We have to bring those together and then reach out to say, 
now, how is that going to work with industry and how can we 
share information that is vital to our common defense. We have to 
do that. 

We need trained and ready forces. I think that is one of the most 
important things that the Congress expects of me of Cyber Com- 
mand and of NSA to, within the Department, create trained and 
ready forces that are trained to a higher standard, both on the de- 
fense and on the offense, those capabilities that our Nation needs 
that are trained to that standard that know how to operate law- 
fully to protect American civil liberties and privacy and to protect 
this Nation in cyberspace. We have to be able to do all three. 

And we have to have a capacity to act when authorized, the rules 
of engagement and the other authorities. 

We are working those five. 

From my perspective, the men and women of Cyber Command 
and NSA — we have tremendous technical talent. We really do. And 
these are great people. Our Nation has invested a lot in these peo- 
ple. They do this lawfully. They take compliance oversight, pro- 
tecting civil liberties and privacy, and the security of this Nation 
to their heart every day. I could not be more proud of the men and 
women of NSA and Cyber Command. What we now need to do is 
take the next step in moving that forward. 

That is all I have at this time, Senator. I will defer now to my 
colleague, Mr. Beers. 

[The statement follows:] 

Prepared Statement of Hon. General Keith B. Alexander 

Thank you very much, Chairwoman Mikulski and Ranking Member Shelby, for 
inviting me to speak to you and your colleagues. I am here representing the Depart- 
ment of Defense in general and the men and women, military and civilian, who 
serve at U.S. Cyber Command (USCYBERCOM) and the National Security Agency/ 
Central Security Service (NSA/CSS). It is my honor to appear today with colleagues 
from the Department of Justice (DOJ) and its Federal Bureau of Investigation (FBI), 
the Department of Homeland Security (DHS), and the National Institute of Science 
and Technology (NIST). I hope to describe some of the challenges we face in per- 
forming the difficult but vital missions of keeping U.S. national security systems se- 
cure, helping to protect our Nation’s critical infrastructure from national-level cyber 
attacks, and working with other U.S. Government agencies, State and local authori- 
ties, national allies, and the private sector in defending our Nation’s interests in 
cyberspace. Together we make up a team deeply committed to compliance with the 
law and the protection of privacy rights that works every day with other U.S. Gov- 
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ernment agencies, industry, academia, citizens, and allies, for only our combined ef- 
forts will enable us to make progress in cybersecurity for the Nation as a whole. 

DEFENDING THE NATION IN CYBERSPACE 

I would like to start today by discussing the two elements of this team that I lead. 
USCYBERCOM is a subunified command of U.S. Strategic Command in Omaha, 
though we are based at Fort Meade. USCYBERCOM’s mission is to plan, coordinate, 
integrate, synchronize and conduct activities to direct the operations and defense of 
Department of Defense information networks. We also prepare to, and when di- 
rected, conduct full-spectrum military cyberspace operations in order to enable tra- 
ditional military activities, ensure U.S./Allied freedom of action in cyberspace, and 
deny our adversaries the ability to harm us or our allies. USCYBERCOM has three 
operational focus areas: defending the Nation, supporting the Combatant Com- 
mands, and defending DOD Information Networks. As I noted when I testified be- 
fore the Armed Services Committee in March, USCYBERCOM will address these 
three operational focus areas with its new Cyber Mission Forces, organized into Na- 
tional Mission Teams, Combat Mission Teams and Cyber Protection Teams. 

Due to the intersecting responsibilities of the two organizations, USCYBERCOM 
was placed at the headquarters of NSA/CSS at Fort Meade. NSA/CSS collects sig- 
nals intelligence on our cyber adversaries; and provides information assurance strat- 
egies and technologies to protect our national security systems. The conduct of these 
two missions is critical to enabling cyber operations. NSA/CSS also has multiple, 
technical capabilities critical to the cyber mission area, such as high-performance 
computing and large-scale, distributed processing and data storage. These are just 
some of the components of what we call the cryptologic platform; it constitutes the 
collection of signals intelligence and communications security capabilities that since 
1952 have served users ranging from national customers, to departmental analysts, 
to battlefield commanders. The defense of U.S. military networks depends on know- 
ing what those who would harm us are doing in cyberspace, which in turn depends 
on intelligence produced by NSA and other members of the Intelligence Community 
regarding adversary intentions and capabilities. 

Cyberspace is characterized by high levels of convergence of separate and dif- 
ferent networks and technology that have come together to form something greater 
than the sum of the parts. In this regard, USCYBERCOM’s co-location with NSA/ 
CSS mirrors the convergence in cyberspace and is a direct result of that techno- 
logical shift. What we have learned is that if convergence is the reality of the cyber 
environment, then integration must be the reality of our response. Co-location pro- 
motes intense and mutually beneficial collaboration in an operational environment 
in which USCYBERCOM’s success relies on net-speed intelligence. Although they 
are separate and distinct organizations with their own missions and authorities, 
NSA/CSS is a major force multiplier for USCYBERCOM, pairing the Command’s op- 
erators, planners, and analysts with the expertise and assistance of NSA/CSS’ cryp- 
tographers, analysts, access developers, on-net operators, language analysts, and 
support personnel. These are close working relationships that enable seamless, 
deconflicted operations that are vital to the success of the cyber mission. Co-location 
also improves the deconfliction of operations; physical proximity enhances mutual 
understanding and awareness of mission areas and helps forge effective partner- 
ships that serve both organizations and the Nation well. Only a tightly integrated 
team, and tightly integrated solutions, can do what is required to address cyber 
threats at net speed. 

I serve as the dual-hatted Commander, USCYBERCOM, and Director, NSA/Chief, 
CSS. The dual-hatting unifies the capabilities for full-spectrum cyber operations 
under a single official, maximizes the leverage of NSA/CSS cyber capabilities, capac- 
ities, and authorities, and establishes unity of effort in cyberspace for the Depart- 
ment of Defense. It allows deconfliction of the use of the cryptologic platform to 
occur with full knowledge of the needs of both organizations on a timely basis. To- 
gether, the people under my command and direction at USCYBERCOM and NSA/ 
CSS work in concert but always under their respective authorities. They direct the 
operation of the Department’s information networks, detect threats in foreign cyber- 
space, attribute threats, secure national security information systems, and help en- 
sure freedom of action for the United States military and its allies in cyberspace — 
and, when directed, defend the Nation against a cyber attack. 

In keeping with the DOD’s Strategy for Operating in Cyberspace, USCYBERCOM 
and NSA/CSS are together assisting the Department in building: (1) a defensible ar- 
chitecture; (2) global situational awareness and a common operating picture; (3) a 
concept for operating in cyberspace; (4) trained and ready cyber forces; and (5) the 
capacity to take action when authorized. Indeed, with another key mission partner 
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in DOD — the Defense Information Systems Agency (DISA), also based at Fort 
Meade — we are finding that our progress in each of these five areas benefits our 
efforts in the rest. We are improving our tactics, techniques, and procedures, as well 
as our policies and organizations. This means building cyber capabilities into doc- 
trine, plans, and training — and building them in a way that senior leaders can plan 
and integrate such capabilities as they would capabilities in the air, land, and sea 
domains. 

The imperative to accomplish this mission grows every day. We operate in a dy- 
namic and contested domain that literally changes its characteristics each time 
someone powers on a networked device. Make no mistake: in light of the real and 
growing threats in cyberspace, our Nation needs a strong DOD role in cyberspace. 
While we feel confident that most foreign leaders believe that a devastating attack 
on the critical infrastructure and population of the United States by cyber means 
would elicit a prompt and proportionate response, it is possible, however, that some 
regime or cyber actor could misjudge the impact and the certainty of our resolve. 
In particular, we are not yet deterring the persistent cyber harassment of private 
and public sites, property, and data. Such attacks have not caused loss of life, but 
they have been destructive to both data and property in other countries. The remote 
assaults last summer on Saudi Aramco and RasGas, for example, rendered inoper- 
able — and effectively destroyed the data on — more than 30,000 computers. Cyber 
programs and capabilities are growing, evolving, and spreading; we believe it is only 
a matter of time before the sort of sophisticated tools developed by well-funded state 
actors find their way to groups or even individuals who in their zeal to make some 
political statement do not know or do not care about the collateral damage they in- 
flict on bystanders and critical infrastructure. The United States is already a target. 
Networks and Web sites owned by Americans and located here have endured inten- 
tional, state-sponsored attacks, and some have incurred degradation and disruption 
because they happened to be along the route to another state’s overseas targets. Our 
critical infrastructure is thus doubly at risk. On a scale of 1 to 10, with 10 being 
strongly defended, our critical infrastructure’s preparedness to withstand a destruc- 
tive cyber attack is about a 3 based on my experience. There are variations in pre- 
paredness across sectors, but all are susceptible to the vulnerabilities of the weak- 
est. 

Let me draw your attention to another serious threat to U.S. interests: the con- 
tinuing and systematic cyber exploitation of American companies and enterprises, 
and the resulting theft of intellectual property. Many such incidents are perpetrated 
by organized cybercriminals, but foreign government-directed cyber operators, tools, 
and organizations are targeting the data of American and Western businesses, insti- 
tutions, and citizens. Certain nations have a resourced national strategy to grow 
their economies by intellectual property (IP) theft. They target any company with 
valuable IP or a leading position in its sector — and not just that company itself. 
Even companies that have protected their information have partners that could be 
“soft” targets. Are we susceptible? In the United States, intrusions have occurred 
against the best in the security business. The collective damage that such intrusions 
inflict on America’s economic competitiveness and innovation edge is profound, 
translating into missed opportunities for U.S. companies and the potential for lost 
American jobs. Cyber theft jeopardizes our economic well-being. 

THE U.S. FEDERAL CYBERSECURITY TEAM 

No Federal department or agency is solely responsible for addressing the cyber 
threat, and none has been designated as the Federal cybersecurity lead because 
each brings unique authorities, resources, and capabilities to the effort. 
Cybersecurity requires a team approach, where the leadership and support roles 
change depending on the nature of the threat and the required response. Together, 
three departments carry out important roles and responsibilities as part of the 
broader U.S. Federal cybersecurity team in order to provide for the Nation’s 
cybersecurity: 

— The DOJ is the lead Federal department responsible for the investigation, attri- 
bution, disruption and prosecution of cybersecurity incidents. Within the DOJ, 
the FBI conducts domestic collection, analysis, and dissemination of cyber 
threat intelligence. 

— The DHS is the lead Federal department responsible for national protection 
against, mitigation of, and recovery from domestic cybersecurity incidents. The 
DHS is also the lead for securing unclassified Federal civilian government net- 
works and working with owners and operators of critical infrastructure to se- 
cure their networks through risk assessment, mitigation incident-response capa- 
bilities. 
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— The DOD is ultimately responsible for defending the Nation from attack in 
cyberspace, just as it is in all other domains. In the event of a foreign cyber 
attack on the United States with the potential for significant national security 
or economic consequences, the DOD, including USCYBERCOM with the support 
of NSA/CSS, will be prepared to respond. 

These efforts depend on shared situational awareness and integrated operations 
across the U.S. Government, State and local authorities, and international partners. 
Together, we are helping to increase our global situational awareness through our 
growing collaboration with Federal Government mission partners and other depart- 
ments and agencies, as well as with private industry and with other countries. That 
collaboration allows us to better understand what is happening across the cyber do- 
main, which enhances our situational awareness, not only for DOD but also across 
the U.S. Government. 

Under the joint leadership of DHS and NSA, the FBI and the other Federal 
cybersecurity centers created a framework to describe cybersecurity functions and 
information exchanges and are now developing an implementation plan for an infor- 
mation sharing environment that will create a cross-government shared situational 
awareness that is extensible to other partners such as the State and local govern- 
ments and our allies. Implementing this capability to improve our collective re- 
sponse actions is one of the President’s top cyber priorities for fiscal year 2014. 

Successful operations in cyberspace depend on collaboration between defenders 
and operators. Those who secure and defend must synchronize with those who oper- 
ate, and their collaboration must be informed by up-to-date intelligence. I see great- 
er understanding today of the importance of this synergy across the Department, 
the government, and our public at large. Last fall the departments negotiated, and 
the President endorsed, a broad clarification of the responsibilities of the various or- 
ganizations and capabilities operating in cyberspace, revising the procedures we em- 
ploy for ensuring that, in the event of a cyber incident of national significance, we 
are prepared to act with all necessary speed in a coordinated and mutually-sup- 
porting manner. USCYBERCOM is also being integrated into the National Event 
response process, so that a cyber incident of national significance can elicit a fast 
and effective response, to include self-defense actions where approved, necessary, 
and appropriate. 

As part of this progress, we in the Federal Government are working with State, 
local, international, and private partners. NSA/CSS, for example, is defining secu- 
rity dimensions that government and private users can utilize for “cloud” architec- 
tures, and has shown how we can manage large quantities of data and still preserve 
strong security. We have even shared the source code publicly so public and private 
architectures can benefit from it. USCYBERCOM has sponsored not only an expand- 
ing range of training courses but also two important exercises, CYBER FLAG and 
CYBER GUARD. The former is USCYBERCOM’s major Command-level exercise, 
the most recent iteration of which brought in international partners to practice 
force-on-force maneuvers in cyberspace. The latter assembled 500 participants last 
summer, including a hundred from the National Guards of 12 States. They exercised 
State- and national-level responses in a virtual environment, learning each other’s 
comparative strengths and concerns should an adversary attack our critical infra- 
structure in cyberspace. 


RESOURCES 

For the past 5 years, Federal cyber-related spending and performance reporting 
have been organized around the Comprehensive National Cybersecurity Initiative 
(CNCI), from which NSA/CSS received a significant amount of funding to provide 
specialized capabilities and foundational support to address the cyber threat. Last 
summer — and planned as a yearly exercise — the administration issued a data call, 
which includes CNCI and non-CNCI investments, in order to better understand and 
track cybersecurity and cyberspace operations funding. NSA/CSS’s budget under 
this taxonomy represents spending under the major cybersecurity categories: (1) 
Prevent malicious cyber activity; (2) Detect, analyze, and mitigate intrusions; and 
(3) Shape the cybersecurity environment. These investments are fundamental to our 
overall cybersecurity strategy to develop and deploy unique cyber capabilities that 
leverage the use of signals intelligence to enhance network defense. Additional in- 
vestments in cyberspace operations provide the foundational infrastructure nec- 
essary to build those capabilities as well as support full spectrum cyberspace oper- 
ations in direct support of Combatant Command requirements (e.g., cryptanalysis, 
net-centric capabilities, data repositories, sensor deployments, and research). 

From the operational perspective, the ultimate objective of cybersecurity is to 
deny the adversary any opportunity to exploit our systems. Doing so requires that 
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we protect ourselves from both known and unknown threats as we execute our com- 
prehensive strategy of hardening our networks, defending our networks, and 
leveraging all instruments of national power — both within our own networks and 
beyond. We have made significant progress in realizing the mission capabilities and 
cryptologic capacity required to meet the demands of operating in cyberspace. While 
there is still much work to do, I’d like to highlight a few of the ongoing efforts in 
implementing our strategy. 

The Department of Defense is responsible for 7 million networked devices and 
thousands of enclaves. USCYBERCOM and NSA/CSS work around the clock with 
DISA to monitor what is happening on global networks and the functioning of 
DOD’s information enterprise. We are also helping the Department build the DOD 
Joint Information Environment (JIE), comprising a shared infrastructure, enterprise 
services, and a single security architecture to improve mission effectiveness, in- 
crease security, and realize IT efficiencies. The JIE will be the base from which we 
can operate knowing that our networks are safer from adversaries. Senior officers 
from USCYBERCOM and NSA/CSS sit on JIE councils and working groups, playing 
a leading role with the office of the DOD’s Chief Information Officer, Joint Staff J6, 
and other agencies in guiding the Department’s implementation of the JIE. NSA/ 
CSS in particular serves as the Security Advisor to the JIE, and is defining the se- 
curity dimension of that architecture. 

Moving to the JIE will make sharing and analytics easier while also enhancing 
security. I know this sounds paradoxical but it is nonetheless true, as NSA/CSS has 
demonstrated in its cloud capability and its support for the Intelligence Commu- 
nity’s growing Information Technology Enterprise (IC ITE). Let me emphasize our 
confidence that the JIE will save resources for the Department — moving to it will 
give us greater capability and security at less cost. 

Our progress, however, can only continue if we are able to fulfill our urgent re- 
quirement for sufficient trained, certified, and ready forces to defend U.S. national 
interests in cyberspace. Last December, DOD endorsed the force presentation model 
we need to implement this new operating concept. We are establishing cyber mis- 
sion teams in line with the principles of task organizing for the joint force. The 
Services are building these teams to present forces for STRATCOM in support of 
USCYBERCOM-delegated Unified Command Plan mission. They will soon be capa- 
ble of operating on their own, with a range of operational and intelligence skill sets, 
as well as a mix of military and civilian personnel. They will also have appropriate 
operating authorities under order from the Secretary of Defense and from my capac- 
ity as the Director of NSA/CSS. Each of these cyber mission teams is being trained 
to common and strict operating standards so that they can be online without putting 
at risk our own military, diplomatic, or intelligence interests. 

I must also mention our concerns over the ongoing budget uncertainty. Foremost 
in the minds of many of our people are the looming furloughs which entail up to 
11 days without pay between July 7 and September 21. While many of our per- 
sonnel are exempted from the furloughs, others are not, and their absence will de- 
grade our mission readiness and performance this summer and beyond, and make 
the development of a strong and capable cyber force more problematic. Our people 
truly are our most important capability. We can and have showcased the incredibly 
valuable contributions made by our entire workforce daily in securing our networks, 
supporting our war fighters, and providing unique insights into foreign intelligence 
targets. I want to emphasize the harmful impact of furloughs on the vital mission 
and functions we perform and on the people we have entrusted to perform or enable 
them. Furloughs make hiring new personnel harder and will drive our best per- 
sonnel away to jobs awaiting in the private sector. Our USCYBERCOM and NSA/ 
CSS workforce, regardless of funding stream, is one that by definition seamlessly 
collaborates across the many functions and disciplines that constitute our capabili- 
ties and operations. All are essential to the whole. 

GUARDING PRIVACY AND CIVIL LIBERTIES 

Let me emphasize that our Nation’s security in cyberspace is not a matter of re- 
sources alone. It is an enduring principle and an imperative. Everything depends 
on trust. We operate in a way that ensures we keep the trust of the American peo- 
ple because that trust is a sacred requirement. We do not see a tradeoff between 
security and liberty. It is not a choice, and we can and must do both simultaneously. 
The men and women of USCYBERCOM and NSA/CSS take this responsibility very 
seriously, as do I. Beyond my personal commitment to do this right, there are mul- 
tiple oversight mechanisms in place. Given the nature of our work, of course, few 
outside of our Executive, Legislative and Judicial Branch oversight bodies can know 
the details of what we do or see that we operate every day under strict guidelines 
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and accountability within one of the most rigorous oversight regimes in the U.S. 
Government. For those of you who do, and who have the opportunity to meet with 
the men and women of USCYBERCOM and NSA/CSS, you have seen for yourself 
how seriously we take this responsibility and our commitment to earning and main- 
taining your trust. 


LEGISLATION 

Although the February 2013 Executive order will help raise the Nation’s cyber de- 
fenses, it does not eliminate the urgent need for legislation in these and other areas 
of cybersecurity. The administration’s legislative priorities for the 113th Congress 
build upon the President’s 2011 Cybersecurity Legislative Proposal and take into ac- 
count 2 years of public and congressional discourse about how best to improve the 
Nation’s cybersecurity. We support legislation that: 

— Facilitates cybersecurity information sharing between the government and the 
private sector as well as among private sector companies. We believe that such 
sharing can occur in ways that protect privacy and civil liberties, reinforce the 
appropriate roles of civilian and intelligence agencies, and include targeted li- 
ability protections; 

— Incentivizes the adoption of best practices and standards for critical infrastruc- 
ture by complementing the process set forth under the Executive order; 

— Gives law enforcement the tools to fight crime in the digital age; 

— Updates Federal agency network security laws, and codifies DHS’ cybersecurity 
responsibilities; and 

— Creates a National Data Breach Reporting requirement. 

In each of these legislative areas, we want to incorporate appropriate privacy and 
civil liberties safeguards. 

The administration wants to continue the dialogue with the Congress and stands 
ready to work with Members of Congress to incorporate our core priorities to 
produce cybersecurity information-sharing legislation that addresses these critical 
issues. 


CONCLUSION 

Thank you again, Madam Chairwoman and members of the committee, for invit- 
ing me to speak to you today. I also thank you on behalf of the men and women 
of USCYBERCOM and NSA/CSS for your support, and for the support of the Con- 
gress. We are working to mitigate the vulnerabilities inherent in any networked en- 
vironment or activity while ensuring that the benefits that we gain and the effects 
we can create are significant, predictable, and decisive. If I could leave you with one 
thought about the course of events, it is that we have no choice but to “normalize” 
cyberspace operations and to make them part of the capability set of our senior pol- 
icymakers and commanders. We are working closely with our interagency partners 
as well as other DOD elements. This is a necessity, for, as I suggest above, our Na- 
tion faces diverse and persistent threats in cyberspace that cannot be defeated 
through the efforts of any single organization. Most cyber operations are interagency 
efforts, almost by definition. We have gained valuable insight from the great work 
of partners like the Departments of Justice, Commerce, and Homeland Security, as 
well as from the collaboration of industry, academia, and allies. Indeed, the flow of 
information and expertise across the commands, agencies, departments and foreign 
mission partners here and overseas is improving slowly but steadily. We have much 
to gain from this partnership, but perhaps not much more time left before our situa- 
tion in cyberspace becomes even more worrisome than today. And now I look for- 
ward to your questions. 

STATEMENT OF HON. RAND BEERS, ACTING DEPUTY SECRETARY, DE- 
PARTMENT OF HOMELAND SECURITY 

Mr. Beers. Thank you, General Alexander, and Chairwoman Mi- 
kulski, Ranking Member Shelby, and other distinguished members 
of the committee. 

We all welcome this opportunity to appear before you. As you 
said, Senator Mikulski, this is a unique opportunity to talk about 
the range of cybersecurity activities across the Government, and we 
welcome that. 

As most of you know, cybersecurity is one of the five major mis- 
sions of the Department of Homeland Security and one that we 
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take very seriously. The threats that we face are varied and seri- 
ous, and in that regard, our cybersecurity mission focuses in two 
primary areas. They are to protect the Federal civilian networks 
and to work with the private sector to protect America’s critical in- 
frastructure. 

In that regard and as the chairwoman mentioned, the President’s 
policy initiatives for the year ahead are to secure Federal networks, 
to protect critical infrastructure, to improve incident response, to 
engage internationally, and to shape the future. 

With respect to the first, this is one of the major areas that DHS 
is responsible for. We are investing about $600 million in pro- 
tecting Federal networks through our intrusion protection systems 
and through our continuous diagnostics and mitigation systems. 
We are also working heavily with America’s critical infrastructure, 
both public and private. 

We are working under the Executive order with our partners in 
NIST to create the cybersecurity framework, and this is, as you 
know, an important initiative on our part. The Executive order, as 
you know, is the administration’s effort after an attempt to get leg- 
islation last year. That is not to say that we still are not interested 
in getting that legislation, and that is certainly something that we 
want to talk about in the time ahead. 

In addition to that, we are working to improve incident response, 
working with our partners in the FBI and with the National Secu- 
rity Agency. This is a “call to one, call to all” initiative in which 
we work together both in our headquarters and our operation cen- 
ter in terms of sharing information and where we work together in 
the field in the deployment of teams to go to particular sites of par- 
ticular incidents in order to determine what happened and in order 
to be able to provide information to other parts of the private sector 
that will help them prevent the same kind of an incident from oc- 
curring. 

We are also involved in the international area with individual 
countries and partners around the world, but also with the Euro- 
pean Union as well. While it is a small program within the Depart- 
ment of Homeland Security, it is a very important program and we 
have a lot of key partners that we work with. And that is just in 
terms of the engagement in terms of face to face. In terms of the 
information sharing, our whole incident response structure, the Na- 
tional Cybersecurity Communications and Integration Center, on a 
regular basis shares information internationally with other com- 
puter emergency readiness teams around the world in order to do 
with them what we do for ourselves nationally in order to protect 
cyberspace around the world. 

And finally, we work in terms of our research and development 
and other activities to try to shape the future. 

This is an important effort that is ongoing, one in which, as Gen- 
eral Alexander said, we could not do if we were doing it individ- 
ually in DHS. It takes all of us here at the table to make this work. 

And I want to thank you for the opportunity to speak with you 
today and to talk about DHS programs and our teamwork together. 
Thank you. 

[The statement follows:] 
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Prepared Statement of Hon. Rand Beers 

Cyberspace is woven into the fabric of our daily lives. According to recent esti- 
mates, globally interconnected communications and information networks that oper- 
ate in this space encompass more than 2 billion people with at least 12 billion com- 
puters and devices, including global positioning systems, mobile phones, satellites, 
data routers, ordinary desktop computers, and industrial control computers that run 
power plants, water systems, and more. 

While this increased connectivity has led to significant transformations and ad- 
vances across our country — and around the world — it also has increased the impor- 
tance and complexity of our shared risk and requires a collaborative approach with- 
in government and between governments and the private sector. Our daily activi- 
ties, economic vitality, and national security depend on the Nation’s ability to secure 
cyberspace. A vast array of interdependent information technology (IT) networks, 
systems, services, and resources are critical to communication, travel, powering our 
homes, running our economy, and obtaining government services. No country, indus- 
try, community or individual is immune to cyber risks. The word “cybersecurity” 
itself encompasses prevention, protection and resilience against a broad range of 
malicious activity from a variety of actors perpetrating denial of service attacks, tar- 
geting our financial system to steal millions of dollars, accessing valuable trade se- 
crets, and intruding into government networks and systems that control our critical 
infrastructure. 

Cyber attacks and intrusions can have very real consequences in the physical 
world. The Department of Homeland Security (DHS) is the lead Federal civilian de- 
partment responsible for coordinating the national protection, prevention, mitiga- 
tion, and recovery from cyber incidents and works regularly with business owners 
and operators to take steps to strengthen their facilities and communities. The De- 
partment’s National Cybersecurity and Communications Integration Center 
(NCCIC) works daily to enhance situational awareness among stakeholders, includ- 
ing those at the State and local level, as well as industrial control system owners 
and operators, by providing critical cyber threat, vulnerability, and mitigation data 
to a number of organizations including through Information Sharing and Analysis 
Centers, which are cybersecurity resources for critical infrastructure sectors. Last 
year DHS notified potential targets of a campaign of cyber intrusions that focused 
on natural gas and pipeline companies that was highly targeted, tightly focused and 
well crafted. With the assistance of our interagency partners, we responded to this 
campaign with a comprehensive effort that included outreacb, technical assistance, 
and mitigation. 

The U.S. Government has worked closely with the private sector during the recent 
series of denial-of-service incidents against the financial sector. Together with our 
interagency partners, we have provided classified cyber threat briefings and tech- 
nical assistance to help banks improve their defensive capabilities. This includes 
identifying and releasing hundreds of thousands of distributed denial of service-re- 
lated IP addresses and supporting information in order to help financial institutions 
and their IT security service providers improve their defenses. In addition to shar- 
ing with these private sector entities, DHS working with the Department of State 
(DOS) has provided this threat information to more than 120 international partners, 
many of whom have contributed to our mitigation efforts. These developments rein- 
force the need for greater information sharing and collaboration among government, 
industry, and individuals to reduce the ability for malicious actors to establish and 
maintain capabilities to carry out such efforts. 

In addition to these attacks and intrusions, we also face a range of traditional 
crimes now perpetrated through cyber networks. These include child pornography 
and exploitation, as well as banking and financial fraud, all of which pose severe 
economic and human consequences. For example, in March 2012, the U.S. Secret 
Service (USSS) worked with U.S. Immigration and Customs Enforcement (ICE) to 
arrest nearly 20 individuals in its “Operation Open Market,” which seeks to combat 
transnational organized crime, including the buying and selling of stolen personal 
and financial information through online forums. 

Additionally, in late May 2013, the Secret Service, in close coordination with U.S. 
Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations 
(HSI) and the Global Illicit Financial Team, arrested five individuals and seized 
bank accounts containing approximately $20 million located in eight countries. The 
investigation of Liberty Reserve, a transnational online payment processor and 
money transfer system, led to the seizure of an online domain owned and operated 
by the company. It is alleged that Liberty Reserve is used by criminal elements 
worldwide to launder money and distribute illegal proceeds globally. Liberty Reserve 
had approximately 1 million users worldwide with more than 200,000 users in the 
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United States. It is estimated that Liberty Reserve processed more than 12 million 
financial transactions annually with a combined value of more than $1.4 billion. 
Overall, Liberty Reserve processed an estimated 55 million separate financial trans- 
actions and is believed to have laundered more than $6 billion in criminal proceeds. 
The United States Attorney’s Office for the Southern District of New York is pros- 
ecuting this case. 

As Americans become more reliant on modern technology, we also become more 
vulnerable to cyber exploits such as corporate security breaches, social media fraud, 
and spear phishing, which targets employees through emails that appear to be from 
people they know, allowing cyber criminals to steal personal and business informa- 
tion. 

Cybersecurity is a shared responsibility, and each of us has a role to play. Emerg- 
ing cyber threats require engagement from government, the private sector, law en- 
forcement, and members of the public. The success of our efforts to reduce 
cybersecurity risks depends on effective identification of cyber threats and 
vulnerabilities, analysis, and enhanced information sharing between departments 
and agencies from all levels of government, the private sector, international entities, 
and the American public. 

DEPARTMENT OF HOMELAND SECURITY MISSION IN PROTECTING GOVERNMENT 
NETWORKS AND CRITICAL INFRASTRUCTURE 

DHS is committed to ensuring cyberspace is supported by a secure and resilient 
infrastructure that enables open communication, innovation, and prosperity while 
protecting privacy, confidentiality, and civil rights and civil liberties by design. The 
Department is achieving its cybersecurity mission by helping to create a safe, se- 
cure, and resilient cyber environment while promoting cybersecurity knowledge and 
innovation. 

DHS has operational responsibilities for securing unclassified Federal civilian gov- 
ernment networks and working with owners and operators of critical infrastructure 
to secure their networks through cyber threat analysis, risk assessment, mitigation, 
and incident response capabilities. The Department is also responsible for coordi- 
nating the Federal Government response to significant cyber or physical incidents 
affecting critical infrastructure consistent with Presidential Policy Directive (PPD) 
21. In addition, the Department combats cyber crime by leveraging the skills and 
resources of the USSS and ICE and working in cooperation with partner organiza- 
tions to investigate cyber criminals. In addition, pursuant to the President’s recent 
Executive Order 13636 on Improving Critical Infrastructure Cybersecurity as well 
as Presidential Policy Directive 21 on Critical Infrastructure Security and Resil- 
ience, we are working with our partners to strengthen the security and resilience 
of critical infrastructure through an updated and overarching national framework 
that acknowledges the increased role of cybersecurity in securing physical assets. 

RESPONSE TO CYBER EVENTS 

The NCCIC is a key component of DHS’s ability to work with government, indus- 
try, and international partners to protect critical cyber and communications sys- 
tems. To create shared situational awareness, the NCCIC integrates internal anal- 
ysis and data, Intelligence Community and law enforcement reporting, and data 
shared by private sector and international partners into a comprehensive series of 
actionable information products, including joint products with the Federal Bureau 
of Investigation (FBI). The NCCIC works closely with those Federal agencies most 
responsible for helping to enhance the cybersecurity of critical infrastructures, in- 
cluding the Departments of Treasury and Energy. 

In addition to Federal partners, the NCCIC also actively engages with the appro- 
priate private sector entities; information sharing and analysis centers; State, local, 
tribal, and territorial (SLTT) governments, including the Multi-State Information 
Sharing and Analysis Center (MS-ISAC); and international partners. As integral 
parts of the cybersecurity and communications community, these groups work to- 
gether to protect the portions of critical information technology that they interact 
with, operate, manage, or own. The NCCIC leverages the collective capabilities of 
its partners to provide joint incident response to assist with forensic investigations, 
malware analysis, review network data, and security posture assessment. 

To further increase awareness of both cyber threat and resources available, the 
NCCIC and the United States Computer Emergency Readiness Team (US-CERT) 
have conducted approximately 50 threat briefings thus far in fiscal year 2013 as a 
part of our outreach effort to our Federal, SLTT, and private sector partners. Since 
2009, the NCCIC has responded to nearly half a million incident reports and re- 
leased more than 26,000 actionable cybersecurity alerts to the Department’s public 
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and private sector partners. An integral player within the NCCIC, the US-CERT 
also provides response support and defense against cyber-attacks for Federal civilian 
agency networks as well as private sector partners upon request. US-CERT collabo- 
rates and shares information with State and local government, industry, and inter- 
national partners, consistent with rigorous privacy, confidentiality, and civil lib- 
erties guidelines, to address cyber threats and develop effective security responses. 
In 2012, US-CERT processed approximately 190,000 cyber incidents involving Fed- 
eral agencies, critical infrastructure, and the Department’s industry partners — a 68- 
percent increase from 2011. In addition, US-CERT issued over 20,411 actionable 
cyber-alerts over the past 3 years that were used by private sector and government 
agencies to protect their systems. 

Similar growth has been seen for the Department’s Industrial Control Systems 
Computer Emergency Response Team (ICS-CERT) and National Coordinating Cen- 
ter for Telecommunications (NCC), whose outreach has resulted in providing access 
to cyber threat information to more than 980 and 300 entities, respectively. ICS- 
CERT also responded to 177 incidents last year while completing 89 site assistance 
visits and deploying 15 teams with US-CERT to assist with significant private sec- 
tor cyber incidents. This rapid increase in production for ICS-CERT, including the 
dissemination of more than 800 products over the past 3 years, yielded them the 
award of Best Security Team by SC Magazine at the 2013 RSA Security Conference. 

The effectiveness of DHS’s cyber protection, response, mitigation and recovery re- 
lies heavily on sharing information with the private sector. In 2011, DHS launched 
the Cyber Information Sharing and Collaboration Program (CISCP), which is spe- 
cifically designed to elevate the cyber awareness of all critical infrastructure sectors 
through close and timely cyber threat information sharing and direct analytical ex- 
change. The Department is constantly enhancing the CISCP. In an effort to ensure 
the program continues to evolve with the needs of industry, DHS has conducted nu- 
merous feedback sessions, monthly collaboration conference calls, and three face-to- 
face technical exchanges. It is also working to automate the program so that it can 
share information in real-time. 

In addition to the CISCP, DHS, in close collaboration with interagency and pri- 
vate sector partners, is continuing to expand the Enhanced Cybersecurity Services 
(ECS) program, which establishes a voluntary information sharing program that as- 
sists critical infrastructure owners and operators to improve protection of their sys- 
tems from unauthorized access, exploitation, or data exfiltration. DHS works with 
cybersecurity organizations from across the U.S. Government to gain access to a 
broad range of cyber threat information. ECS consists of the operational processes 
and security oversight required to share sensitive and classified cyber threat infor- 
mation with qualified Commercial Service Providers (CSP). The ECS program devel- 
ops threat “indicators” with this information and provides CSPs with those indica- 
tions of active, malicious cybersecurity activity to better protect their critical-infra- 
structure customers. 

In fiscal year 2013, DHS has already shared more than 200,000 indicators via the 
ECS program and other Joint Indicator Bulletin products with partners for com- 
puter network defense. CSPs may use these threat indicators to provide approved 
cybersecurity services to critical infrastructure entities. ECS augments, but does not 
replace, entities’ existing cybersecurity capabilities. The program was also built with 
privacy and civil liberties protections in mind. Consistent with their commercial 
agreements with the protected entities, CSPs are not required to share with the 
Government, but may voluntarily do so. The incident information is anonymized, 
unless the protected entity consents to having its identity provided to DHS. 

COMBATING CYBER CRIME 

DHS employs more law enforcement agents than any other department in the 
Federal Government and has personnel stationed in every State and in more than 
75 countries around the world. Since 2009, DHS has prevented $10 billion in poten- 
tial losses through cyber crime investigations and arrested more than 5,000 individ- 
uals for their participation in cyber crime activities. 

The Department leverages the 31 USSS Electronic Crimes Task Forces (ECTF), 
which combine the resources of academia, the private sector, and local, State and 
Federal law enforcement agencies to combat computer-based threats to our financial 
payment systems and critical infrastructure. A recently executed partnership be- 
tween ICE Homeland Security Investigations and USSS demonstrates the Depart- 
ment’s commitment to leveraging capability and finding efficiencies. Both organiza- 
tions will expand participation in the existing ECTFs. In addition to strengthening 
each agency’s cyber investigative capabilities, this partnership will produce benefits 
with respect to the procurement of computer forensic hardware, software licensing, 
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and training that each agency requires. The Department is also a partner in the 
National Cyber Investigative Joint Task Force, which serves as a collaborative enti- 
ty that fosters information sharing across the interagency. 

In fiscal year 2012, the Secret Service arrested 1,378 individuals for cyber-crime 
violations while maintaining a 99.6-percent conviction rate; these criminals were re- 
sponsible for over $335 million in fraud losses and could have potentially caused 
over $1.2 billion in fraud loss based on financial account information in their posses- 
sion at the time of their arrest. As part of its protective duties, the Secret Service 
has developed a Critical Systems Protection Program, which assesses and mitigates 
the risks to critical infrastructure that could impact Secret Service protectees or Na- 
tional Special Security Events (NSSEs). This program applies risk management 
practices developed by the National Institute of Standards and Technology to help 
critical infrastructure owners and operators secure their systems from cyber threats. 
From October 2009 to May 2013 this program has conducted over 560 advances and 
secured eight NSSEs. 

In the course of investigating cyber crimes over the last 30 years, the Secret Serv- 
ice has developed a number of cybersecurity capabilities to support its mission. The 
backbone of the ECTFs is its Electronic Crimes Special Agent Program (ECSAP), 
which is comprised of nearly 1,400 Secret Service special agents who have received 
at least one of three levels of computer crimes-related training. These agents are 
deployed in more than 98 Secret Service offices throughout the world and have re- 
ceived training in forensic identification, preservation and retrieval of electronically 
stored evidence. ECSAP-trained agents are computer investigative specialists, quali- 
fied to conduct examinations on all types of electronic evidence. These special agents 
are equipped to investigate the continually evolving arena of electronic and cyber 
crimes and have proven invaluable in the successful prosecution of criminal groups 
involved in computer fraud, bank fraud, identity theft, access device fraud and var- 
ious other electronic and cyber crimes targeting our financial institutions and pri- 
vate sector. USSS also supports State and local law enforcement, in addition to 
other Federal agencies, by making these capabilities available to support their oper- 
ations. 1 They include computer forensics specialists, mobile wireless investigation 
teams, and advanced research support. 

To expand its collaborative efforts, the Secret Service provides its ECSAP training 
to investigators at the ICE Computer Crimes Center as well as via the National 
Computer Forensics Institute (NCFI), which is a result of a partnership between the 
National Protection and Programs Directorate, the Secret Service, the State of Ala- 
bama, the City of Hoover, Shelby County, the Alabama District Attorney’s Associa- 
tion, and the Alabama Securities Commission, established to provide computer fo- 
rensic training and tools to State and local law enforcement officers, prosecutors, 
and judges. Investigators are trained to respond to network intrusion incidents and 
conduct electronic and cyber crimes investigations. This training also has the benefit 
of providing State and local law enforcement with the skills and tools to combat a 
myriad of crimes in their community. Further, the NCFI has supported training for 
DHS Fusion Centers and the FBI’s National Domestic Communications Assistance 
Center. Responding to the growth of cyber crimes and the level of sophistication 
these criminals employ requires training, resources and greater collaboration among 
law enforcement and its public and private sector partners. 

Since opening in May 2008, NCFI has trained more than 2,050 State and local 
officials, including more than 1,360 police investigators, 525 prosecutors and 165 
judges from all 50 States and three U.S. territories. 

In addition to these activities, ICE HSI’s Cyber Crimes Center (C3) delivers com- 
puter-based technical services to support domestic and international investigations 
into cross-border crime. C3 is made up of the Cyber Crimes Unit, the Child Exploi- 


1 Included are the following: 

— Computer forensics specialists, which in fiscal year 2012 conducted more than 7,000 dig- 
ital forensics exams, totaling more than 1,100 terabytes of data; 

— Cell Phone Forensics Facility at University of Tulsa, which since opening in 2008 has sup- 
ported 6,135 exams, and 305 advanced exams at the University of Tulsa; 

— 22 Mobile Wireless Investigations Teams, which in fiscal year 2012 conducted nearly 
1,140 investigations, supporting primarily State and local law enforcement with this ad- 
vanced capability and directly contributing to solving homicide cases and locating missing 
persons; 

— Advanced research support at Carnegie Mellon and development of advanced tools for use 
by law enforcement partners; and 

— Support of landmark research studies, like the Insider Threat Report, Verizon Data 
Breach Investigations Report, and the Trust Wave Global Security Report, which are an 
effective way to share law enforcement information, while protecting victim privacy, to de- 
velop national understanding of cyber risks. 
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tation Investigations Unit and the Computer Forensics Unit. This state-of-the-art 
center offers cyber crime support and training to Federal, State, local and inter- 
national law enforcement agencies. C3 also operates a fully equipped computer 
forensics laboratory, which specializes in digital evidence recovery, and offers train- 
ing in computer investigative and forensic skills. 

COOPERATION ACROSS THE FEDERAL GOVERNMENT 

Successful response to dynamic cyber threats requires leveraging homeland secu- 
rity, law enforcement, national defense, and intelligence authorities and capabilities, 
which respectively promote domestic preparedness, criminal deterrence and inves- 
tigation, and national defense. DHS, the Department of Justice (DOJ), and the De- 
partment of Defense (DOD) each play a key role in responding to cybersecurity inci- 
dents that pose a risk to the United States. To achieve a whole of government re- 
sponse to specific cyber incidents, DHS, DOJ, and DOD synchronize their oper- 
ations. The leaders of DHS, DOJ, and DOD have held a series of meetings to clarify 
the lanes in the road in cyber jurisdiction. The group agreed that DHS’ primary role 
is to protect critical infrastructure and networks, coordinate mitigation and recov- 
ery, disseminate threat information across various sectors and investigate 
cybercrimes under DHS’s jurisdiction. DOJ is the lead for investigation, enforce- 
ment, and prosecution of those responsible for cyber intrusions affecting tbe United 
States. As part of DOJ, the FBI conducts domestic national security operations; in- 
vestigates, attributes, and disrupts cybercrimes; and collects, analyzes, and dissemi- 
nates domestic cyber intelligence. DOD’s role is to defend the Nation, gather intel- 
ligence on foreign cyber threats, and to protect national security systems. DHS sup- 
ports our partners in many ways. For example, the United States Coast Guard as 
an Armed Force has partnered with U.S. Cyber Command and U.S. Strategic Com- 
mand to prepare for military cyberspace operations as directed. In coordination with 
DOS, DHS also works with international partners in strategic and operational en- 
gagements. 

While each agency operates within the parameters of its authorities, the U.S. Gov- 
ernment’s response to cyber incidents of consequence is coordinated among these 
three agencies such that “a call to one is a call to all.” Synchronization among DHS, 
DOJ, and DOD not only ensures that whole of Government capabilities are brought 
to bear against cyber threats, but also improves Government’s ability to share time- 
ly and actionable cybersecurity information among a variety of partners, including 
the private sector. 

PRESIDENTIAL POLICY DIRECTIVE 21 AND CYBER EXECUTIVE ORDER 13636 

America’s national security and economic prosperity are increasingly dependent 
upon the cybersecurity of critical infrastructure. With today’s physical and cyber in- 
frastructure growing more inextricably linked, critical infrastructure and emergency 
response functions are inseparable from the information technology systems that 
support them. The Federal Government’s role in this effort is to share information 
and to encourage enhanced security and resilience, while also identifying gaps not 
filled by the marketplace. As mentioned previously, the enhanced information shar- 
ing programs supported by Executive Order 13636 and PPD-21 help secure critical 
infrastructure and increase its resilience against cyber and physical attacks, as well 
as natural disasters and terrorist attacks. 

To complement PPD-21, Executive Order 13636 promotes more efficient sharing 
of cyber threat information with the private sector and directs the establishment of 
a cybersecurity framework to identify and implement better security practices 
among critical infrastructure sectors. Through partnerships between the Govern- 
ment and private sector, the critical infrastructure cyber systems upon which much 
of our economic well-being, national security, and daily lives depend are being better 
protected. PPD-21 and Executive Order 13636 reinforce holistic thinking and action 
in the realms of security and risk management and the issuance of these important 
documents allows us to build upon and enhance our existing partnership model with 
our key private sector and SLTT partners. Implementation of Executive Order 
13636 and PPD-21 will also drive action toward system and network security and 
resilience. The Department is well positioned to make advances in the space defined 
by the cyber-physical security nexus that PPD-21 and Executive Order 13636 ad- 
dress. 


BUDGET PRIORITIES 

The fiscal year 2014 budget supports initiatives to secure our Nation’s information 
and financial systems and to defend against cyber threats to private-sector and Fed- 
eral systems, the Nation’s critical infrastructure, and the U.S. economy. Taken to- 
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gether, the administration’s initiatives strengthen the security and resilience of crit- 
ical infrastructure against evolving threats through an updated and overarching na- 
tional framework that acknowledges the linkage between cybersecurity and securing 
physical assets. 

Included in the fiscal year 2014 budget are enhancements to the National 
Cybersecurity Protection System (NCPS) to prevent and detect intrusions on Gov- 
ernment computer systems and to the National Cybersecurity and Communications 
Integration Center to protect against and respond to cybersecurity threats. The 
budget also leverages the new operational partnership between ICE and USSS 
through the established network of USSS ECTFs to safeguard the Nation’s financial 
payment systems, combat cybercrimes, target transnational child exploitation in- 
cluding large-scale producers and distributors of child pornography, and prevent at- 
tacks against U.S. critical infrastructure. 

— Federal Network Security. — $200 million is included for Federal Network Secu- 
rity, which manages activities designed to enable Federal agencies to secure 
their IT networks. The budget provides funding to further reduce risk in the 
Federal cyber domain by enabling continuous monitoring and diagnostics of net- 
works in support of mitigation activities designed to strengthen the operational 
security posture of Federal civilian networks. DHS will directly support Federal 
civilian departments and agencies in developing capabilities to improve their 
cybersecurity posture and to better thwart advanced, persistent cyber threats 
that are emerging in a dynamic threat environment. 

— NCPS. — $406 million is included for Network Security Deployment, which man- 
ages NCPS, operationally known as EINSTEIN. NCPS is an integrated intru- 
sion detection, analytics, information-sharing, and intrusion-prevention system 
that supports DHS responsibilities to defend Federal civilian networks. 

— US-CERT. — $102 million is included for operations of US-CERT, which leads 
and coordinates efforts to improve the Nation’s cybersecurity posture, promotes 
cyber information sharing, and manages cyber risks to the Nation. US-CERT 
encompasses the activities that provide immediate customer support and inci- 
dent response, including 24-hour support in the National Cybersecurity and 
Communications Integration Center. As more Federal network traffic is covered 
by NCPS, additional US-CERT analysts are required to ensure cyber threats 
are detected and the Federal response is effective. 

— SLTT Engagement. — In fiscal year 2014, DHS will expand its support to the 
MS-ISAC to assist in providing coverage for all 50 States and 6 U.S. territories 
in its managed security services program. MS-ISAC is a central entity through 
which SLTT governments can strengthen their security posture through net- 
work defense services and receive early warnings of cyber threats. In addition, 
the MS-ISAC shares cybersecurity incident information, trends, and other anal- 
ysis for security planning. 

— Cybersecurity Research and Development. — The fiscal year 2014 budget includes 
$70 million for the Science and Technology Directorate’s research and develop- 
ment focused on strengthening the Nation’s cybersecurity capabilities. 

— Cyber Investigations. — The fiscal year 2014 budget continues to support ICE 
and USSS to strategically investigate domestic and international criminal ac- 
tivities, including computer fraud, network intrusions, financial crimes, access 
device fraud, bank fraud, identity crimes and telecommunications fraud, bene- 
fits fraud, arms and strategic technology, money laundering, counterfeit phar- 
maceuticals, child pornography, and human trafficking occurring on or through 
the Internet. The budget continues to enable these DHS law enforcement agen- 
cies to provide computer forensics support and training for law enforcement 
partners to enable them to effectively investigate cyber crime and conduct other 
highly technical investigations. ICE projects a fiscal year 2014 expenditure of 
$13.8 million for the Cyber Crimes Center supporting investigations to identify, 
disrupt, and dismantle domestic and transnational criminal organizations en- 
gaged in crimes facilitated by use of computers and cyberspace. In addition, ICE 
expects to spend $96.5 million on investigations of cyber crime/child exploi- 
tation. Other investigations of illicit trade, travel and finance all make use of 
cyber investigative techniques including computer forensic analysis. The Secret 
Service’s ECTFs will also continue to focus on the prevention of cyber attacks 
against U.S. financial payment systems and critical infrastructure through ag- 
gressive investigation and information sharing. 

— Cyber Protection. — The fiscal year 2014 budget includes $13.5 million to en- 
hance the Secret Service’s ability to secure protective venues, National Special 
Security Events and associated Critical Infrastructure/Key Resources from 
cyber attacks. 
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CYBER LEGISLATIVE PRIORITIES 

It is important to note that the Executive order directs Federal agencies to work 
within current authorities and increase voluntary cooperation with the private sec- 
tor to provide better protection for computer systems critical to our national and 
economic security. It does not grant new regulatory authority or establish additional 
incentives for participation in a voluntary program. We continue to believe that a 
suite of legislation is necessary to implement the full range of steps needed to build 
a strong public-private partnership, and we will continue to work with the Congress 
to achieve this. 

To help us achieve our mission, we have created a number of competitive scholar- 
ship, fellowship, and internship programs to attract top talent. We are growing our 
world-class cybersecurity workforce by creating and implementing standards of per- 
formance, building and leveraging a cybersecurity talent pipeline with secondary 
and post-secondary institutions nationwide, and institutionalizing an effective, ongo- 
ing capability for strategic management of the Department’s cybersecurity work- 
force. Congress can support this effort by pursuing legislation that provides DHS 
with the hiring and pay flexibilities we need to secure Federal civilian networks, 
protect critical infrastructure, respond to cyber threats, and combat cybercrime. 

CONCLUSION 

The American people expect us to secure the country from the growing danger of 
cyber threats and ensure the Nation’s critical infrastructure is protected. The 
threats to our cybersecurity are real, they are serious, and they are urgent. I appre- 
ciate this committee’s guidance and support as, together, we work to keep our Na- 
tion safe. 

STATEMENT OF RICHARD A. MCFEELY, EXECUTIVE ASSISTANT DIREC- 
TOR, CRIMINAL, CYBER, RESPONSE, AND SERVICES BRANCH, 
FEDERAL BUREAU OF INVESTIGATION, DEPARTMENT OF JUS- 
TICE 

Mr. McFeely. Good afternoon, Madam Chairwoman, Vice Chair- 
man Shelby, and members of the committee. 

It is difficult to overstate the potential impacts cyber threats 
pose to our economy, our national security, and the critical infra- 
structure upon which our country relies. That is why the FBI, 
along with our key partners sitting at the table here, are strength- 
ening our cyber capabilities in the same way we enhanced our in- 
telligence and national security capabilities in the wake of 9/11. 

I want to talk briefly about what the FBI’s response has been, 
but I echo both of these two gentlemen’s comments that this is a 
whole of Government approach when it comes to addressing this 
issue. 

In the last year within the FBI, we have undergone a paradigm 
shift in how we conduct cyber operations. While we previously 
watched, collected information, and added to our understanding of 
the adversaries’ intentions, we did not always take action by seek- 
ing to disrupt them as we might in a counterterrorism case. We are 
now, working with our partners, successfully disrupting and im- 
pacting the individuals behind the keyboard who have made it 
their mission to attack, steal, spy, and commit terrorist acts 
against our Nation and its citizens. Instead of watching foreign 
countries steal our intellectual property, we are going out to com- 
panies and trying to prevent it. 

For example, working with DHS, we now routinely provide pri- 
vate industry and our law enforcement partners overseas with IP 
addresses that are responsible for launching attacks against our 
country. Just last week, the FBI, Microsoft, and the financial serv- 
ices industry conducted separate but coordinated operations to suc- 
cessfully disrupt more than 1,000 botnets, networks of com- 
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promised computers that had been infected with a malware known 
as Citadel. The botnets were part of a massive global cyber crime 
operation estimated to be responsible for more than half a billion 
dollars in financial fraud. 

These actions are part of a larger U.S. Government strategy led 
by the National Cyber Investigative Joint Task Force, or NCIJTF, 
to target botnet creators and distributors. They exemplify how the 
FBI and our partners are using private/public partnerships both 
domestically and internationally to protect the public from cyber 
criminals. 

At the NCIJTF, which serves as the deconfliction center on cyber 
threat investigations among 19 U.S. and two international agen- 
cies, the Government is coordinating its efforts at an unprece- 
dented level. This coordination involves senior personnel at key 
agencies. While it is led by the FBI, it now has Deputy Directors 
from the National Security Agency, DHS, the Central Intelligence 
Agency (CIA), the U.S. Secret Service, and U.S. Cyber Command. 

We must recognize that to work together we have to make sure 
that we keep pace and surpass the capabilities of our cyber adver- 
saries. As General Alexander described earlier, the leaders of the 
FBI, DHS, and NSA met last fall and clarified the lanes in the road 
to cyber jurisdiction. And I believe that the collective opinion 
among the worker levels is that there is now an unprecedented 
level of cooperation not seen since the immediate post-9/11 era. 

In addition to strengthening our partnerships in Government, we 
have significantly enhanced our collaboration with the private sec- 
tor. As part of that outreach, we have begun to provide industry 
partners with classified threat briefings and other information and 
tools to help repel intruders. Among these tools is a new platform 
we are developing for trusted industry partners to report cyber in- 
cidents to all of Government in real time. Known as iGuardian, it 
is based on a successful guardian terrorist threat tracking and col- 
laboration system developed after 9/11. We are also developing an 
automated malware analysis tool to which law enforcement and in- 
dustry partners could submit samples of malware for triage and 
analysis. We expect an unclassified version of this system to be pi- 
loted with the private sector this fall. 

And while we have been primarily focused on cyber intrusions, 
which we see as the greatest cyber threat to our national security, 
we are working with our State and local law enforcement partners 
to identify and address gaps in the investigation and prosecution 
of Internet fraud crimes. The FBI, the U.S. Secret Service should 
not bear all responsibility for this. We believe that there is a huge 
space for our State and local partners to join us in this fight. 

To address these gaps, we have developed a pilot program, in col- 
laboration with the International Chiefs of Police and other law en- 
forcement organizations to enhance the Internet fraud targeting 
packages that the FBI’s Internet Crime Complaint Center, or IC3, 
currently provides to State and local law enforcement for investiga- 
tion and potential prosecution. 

I thank you for the opportunity to be here today and look for- 
ward to answering questions. 

[The statement follows:] 
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Prepared Statement of Richard A. McFeely 

Good afternoon Chairwoman Mikulski, Vice Chairman Shelby, and members of 
the committee. I appreciate the opportunity to appear before you today to discuss 
the cyber threat, how the Federal Bureau of Investigation (FBI) has responded to 
it, and how we are marshaling our resources and strengthening our partnerships 
to more effectively combat the increasingly sophisticated adversaries we face in 
cyberspace. 


THE CYBER THREAT 

As the committee is well aware, the frequency and impact of cyber attacks on our 
Nation’s private sector and government networks have increased dramatically in the 
past decade, and are expected to continue to grow. Since 2002, the FBI has seen 
an 84-percent increase in the number of computer intrusion investigations. 

Our adversaries in the cyber realm include spies from nation-states who seek our 
secrets and intellectual property; organized criminals who want to steal our identi- 
ties and money; terrorists who aspire to attack our power grid, water supply, or 
other infrastructure; and hacktivist groups who are trying to make a political or so- 
cial statement. It is difficult to overstate the potential impact these threats pose to 
our economy, our national security, and the critical infrastructure upon which our 
country relies. The bottom line is we are losing data, money, ideas, and innovation 
to a wide range of cyber adversaries and much more is at stake. 

Director Mueller has said he expects the cyber threat to surpass the terrorism 
threat to our Nation in the years to come. That is why we are strengthening our 
cyber capabilities in the same way we enhanced our intelligence and national secu- 
rity capabilities in the wake of the September 11th attacks. 

FEDERAL BUREAU OF INVESTIGATION RESPONSE 

The FBI recognized the significance of the cyber threat more than a decade ago 
and, in response, created the Cyber Division and elevated the cyber threat to our 
number three national priority (only after counterterrorism and counterintelligence). 
We also significantly increased our hiring of technically trained agents, analysts, 
and forensic specialists and expanded our partnerships with law enforcement, pri- 
vate industry, and academia. 

We have made great progress since the Cyber Division was first created in 2002. 
Prior to that, we considered it a success when we recognized that networks were 
being attacked. We soon enhanced our ability to determine attribution knowing who 
was breaking into our computers and networks and to track Internet Protocol (IP) 
addresses back to their source. Now, the question we ask ourselves is, “How are we 
going to take action on that information?” 

The perpetrators of these attacks are often overseas, but in the past, tracking an 
IP address back to its source in a foreign country usually led to a dead end. To ad- 
dress this problem, we embedded cyber agents with law enforcement in several key 
countries, including Estonia, Ukraine, the Netherlands, Romania, and Latvia. We 
have also worked with several of these countries to extradite subjects from their 
countries to stand trial in the United States. 

Building on the success of our international outreach, we are currently expanding 
our Cyber Assistant Legal Attache program to the United Kingdom (U.K.), Singa- 
pore, Bulgaria, Australia, Canada, the Republic of Korea, and Germany. 

RECENT SUCCESSES 

A prime example of international collaboration came in the 2011 takedown of 
Rove Digital, a company founded by a ring of Estonian and Russian hackers to com- 
mit a massive Internet fraud scheme. The scheme infected more than 4 million com- 
puters in more than 100 countries with malware. The malware secretly altered the 
settings on infected computers, enabling the hackers to hijack Internet searches 
using rogue servers for Domain Name System (DNS) routers and re-route computers 
to certain Web sites and ads. The company received fees each time these Web sites 
or ads were clicked on or viewed by users and generated $14 million in illegitimate 
income for the operators of Rove Digital. 

Following the arrest of several alleged co-conspirators in Estonia, FBI agents, lin- 
guists, and forensic examiners assisted Estonian authorities in retrieving and ana- 
lyzing data linking them to the scheme. Seven individuals have been indicted in the 
Southern District of New York in this case. Two of the six for which the United 
States sought extradition have been remanded to U.S. custody and have recently 
pleaded guilty to wire fraud and computer intrusion. 
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While the FBI and our partners have had multiple recent investigative successes 
against the threat, we are continuing to push ourselves to respond more rapidly and 
prevent attacks before they occur. 

One area in which we have had great success with our overseas partners recently 
is in targeting infrastructure we believe has been used in Distributed Denial of 
Service (DDOS) attacks, and preventing it from being used for future attacks. Since 
October 2012, the FBI and the Department of Homeland Security (DHS) have re- 
leased nearly 168,000 Internet Protocol addresses of computers that were believed 
to be infected with DDOS malware. We have released this information through 
Joint Indicator Bulletins (JIBs) to more than 130 countries via DHS’ National 
Cybersecurity and Communications Integration Center Team as well as our Legal 
Attaches. 

These actions have enabled our foreign partners to take action and reduced the 
effectiveness of the botnets and the DDOS attacks. We are continuing to target 
botnets through this strategy and others. 

NEXT GENERATION CYBER 

The need to prevent attacks is a key reason we have redoubled our efforts to 
strengthen our cyber capabilities while protecting privacy, confidentiality, and civil 
liberties. The FBI’s Next Generation Cyber Initiative, which we launched in 2012, 
entails a wide range of measures, including focusing the Cyber Division on intru- 
sions into computers and networks — as opposed to crimes committed with a com- 
puter as a modality; establishing Cyber Task Forces in each of our 56 field offices 
to conduct cyber intrusion investigations and respond to significant cyber incidents; 
hiring additional computer scientists to assist with technical investigations in the 
field; and expanding partnerships and collaboration at the National Cyber Inves- 
tigative Joint Task Force (NCIJTF). 

At the NCIJTF — which serves as a coordination, integration, and information 
sharing center among 19 U.S. agencies and two foreign governments for cyber 
threat investigations — we are coordinating at an unprecedented level. This coordina- 
tion involves senior personnel at key agencies. NCIJTF, which is led by the FBI, 
now has deputy directors from the National Security Agency (NSA), DHS, the Cen- 
tral Intelligence Agency, U.S. Secret Service, and U.S. Cyber Command. We recently 
invited our Five Eyes partners to join us at the NCIJTF. Australia agreed, and em- 
bedded personnel there in May. The U.K. is scheduled to do so in July 2013. By 
developing partnerships with these and other nations, NCIJTF is working to become 
the international leader in synchronizing and maximizing investigations of cyber ad- 
versaries. 

We recognize that we must work together more efficiently than ever to keep pace 
with and surpass our cyber adversaries. To that end, the leaders of the FBI, DHS, 
and NSA recently held a series of meetings to clarify the lanes in the road in cyber 
jurisdiction. The group agreed that the Department of Justice (DOJ) is the lead for 
investigation, enforcement, and prosecution of those responsible for cyber intrusions 
affecting the United States. As part of DOJ, the FBI conducts domestic national se- 
curity operations; investigates, attributes, and disrupts cybercrimes; and collects, 
analyzes, and disseminates domestic cyber intelligence. DHS’s primary role is to 
protect critical infrastructure and networks, coordinate mitigation and recovery, dis- 
seminate threat information across various sectors and investigate cybercrimes 
under DHS’s jurisdiction. The Department of Defense’s role is to defend the Nation, 
gather intelligence on foreign cyber threats, and to protect national security sys- 
tems. 

Earlier this year, the U.S. Intellectual Property Enforcement Coordinator released 
the administration’s Strategy on Mitigating the Theft of U.S. Trade Secrets. As part 
of the strategy, the Department of Justice, including the FBI, will continue to 
prioritize prosecutions and investigations of foreign corporate and state-sponsored 
trade secret theft. Further, the FBI is expanding its efforts to fight computer intru- 
sions that involve the theft of trade secrets by individuals, foreign corporations, and 
nation-state cyber hackers. 

While we are primarily focused with our Federal partners on cyber intrusions, we 
are also working with our State and local law enforcement partners to identify and 
address gaps in the investigation and prosecution of Internet fraud crimes. 

Currently, the FBI’s Internet Crime Complaint Center (IC3) collects reports from 
private industry and citizens about online fraud schemes, identifies emerging 
trends, and produces reports about them. The FBI investigates fraud schemes that 
are appropriate for Federal prosecution (based on factors like the amount of loss). 
Others are packaged together and referred to State and local law enforcement. How- 
ever, we have learned that very few of these referred cases are being worked. 
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To close this gap, we have developed a pilot program in collaboration with the 
International Association of Chiefs of Police, the Major City Chiefs Association, and 
the National Sheriffs’ Association to enhance the Internet fraud targeting packages 
IC3 provides to State and local law enforcement for investigation and potential pros- 
ecution. During the first phase of the pilot, IC3 will develop better investigative 
leads for direct dissemination to State and local agencies, beginning with the Utah 
Department of Public Safety. 


PRIVATE SECTOR OUTREACH 

In addition to strengthening our partnerships in government and law enforce- 
ment, we recognize that to effectively combat the cyber threat, we must significantly 
enhance our collaboration with the private sector. Our Nation’s companies are the 
primary victims of cyber intrusions and their networks contain the evidence of 
countless attacks. 

In the past, industry has provided us information about attacks that have oc- 
curred, and we have investigated the attacks, but we have not always provided in- 
formation back. We realize the flow of information must go both ways. As part of 
our enhanced private sector outreach, we have begun to provide industry partners 
with classified threat briefings and other information and tools to help them repel 
intruders. 

Among them is a new platform we are developing for trusted private industry 
partners to report cyber incidents to us in real time. Known as iGuardian, it is 
based on the FBI’s successful Guardian terrorist threat tracking and collaboration 
system. Guardian has also been enhanced to accept cyber incident reporting from 
fusion centers and State and local law enforcement. 

Over the past year, we have been engaged in classified briefs on nearly a daily 
basis at NCIJTF with private-sector partners and representatives of our Nation’s 
most critical infrastructure sectors. Earlier this year, in coordination with the Treas- 
ury Department, we provided a classified briefing on threats to the financial serv- 
ices industry to executives of more than 40 banks who participated via secure video 
teleconference in FBI field offices around the country. 

In addition to these actions, we are also expanding our partnerships with private 
industry and academia through initiatives like InfraGard — a public-private coalition 
of 55,000 members to protect critical infrastructure — and the National Cyber- 
Forensics and Training Alliance, a proven model for sharing private sector informa- 
tion in collaboration with law enforcement. 

FISCAL YEAR 2014 BUDGET REQUEST 

The combined result of these actions is that the FBI has undergone a paradigm 
shift over the past year in how we are responding to the cyber threat, particularly 
national security cyber threats. While we previously watched, collected information, 
and added to our understanding of our nation-state adversaries’ intentions, we are 
now looking to disrupt and deter the individuals behind the keyboard who have 
made it their mission to attack, steal, spy, and commit terrorist attacks against our 
Nation and its citizens. 

Instead of watching foreign countries steal our intellectual property, we’re going 
out to companies and trying to prevent it. For example, in coordination with DHS, 
we will provide organizations with IP addresses that are likely to launch attacks 
against them or the e-mail addresses used to send their employees messages with 
links to malicious software, in a technique known as “spearphishing.” 

Undertaking these new actions and initiatives requires additional personnel and 
other resources. That is why, to help the FBI combat this rapidly developing and 
diverse threat, the fiscal year 2014 budget request includes an additional 152 posi- 
tions (60 Special Agents, 1 Intelligence Analyst, and 91 Professional Staff) and $86.6 
million to help address this threat. 


CONCLUSION 

In conclusion, Chairwoman Mikulski, to counter the threats we face, we are en- 
gaging in an unprecedented level of collaboration within the U.S. Government, with 
the private sector, and with international law enforcement. 

We are grateful for the committee’s support and look forward to continuing to 
work with you and expand our partnerships as we determine a successful course 
forward for the Nation to defeat our cyber adversaries. 

Thank you again for the opportunity to be here today. I would be happy to answer 
any questions you may have. 
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STATEMENT OF HON. DR. PATRICK D. GALLAGHER, ACTING DEPUTY 
SECRETARY, DEPARTMENT OF COMMERCE; DIRECTOR, NA- 
TIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 

Chairwoman Mikulski. Dr. Gallagher. 

Dr. Gallagher. Thank you. Chairwoman Mikulski and Vice 
Chairman Shelby, members of the committee, it is a distinct pleas- 
ure to be here today to join my colleagues to talk to you about 
cybersecurity. 

Since I am batting cleanup, I want to touch quickly on just two 
topics. 

First is the all-of-Government approach. Good teamwork is based 
on playing your position, and the NIST position is based on our 
mission. We are a measurement science and standards organiza- 
tion, and our role is to support industry, the owners and operators 
of this infrastructure, as they respond to the information that they 
get from our Intelligence Community, from our law enforcement 
community, and from Homeland Security. 

This is a top priority for NIST. In our fiscal year 2014 budget re- 
quest, there was a $24 million increase to cybersecurity R&D pro- 

f rams at NIST. This is on top of making our total investment of 
68 million. This funding enables our R&D performance in a num- 
ber of critical areas, including the National Initiative for 
Cybersecurity Education, an interagency effort; the National Strat- 
egy for Trusted Identities in Cyberspace; the National 
Cyber security Center of Excellence; and implementation of Execu- 
tive Order 13636, “Improving Critical Infrastructure 
Cyber security.” 

Second, I would like to give you a quick update on the Executive 
order. As many of you know, under the order, NIST has been di- 
rected to work with industry to develop a framework of 
cybersecurity practices, methods, and so forth that supports the 
performance goals established by the Department of Homeland Se- 
curity. For this to be successful, two major elements have to be 
part of the approach. 

First is an effective partnership between the agencies, and that 
is occurring. In fact, we memorialized this with a memorandum of 
understanding between DHS and NIST and with close working col- 
laborations with my colleagues here. 

And second, the cybersecurity framework must be developed 
through a process that is industry-led, open and transparent to all 
of the stakeholders because it is by having industry develop their 
own practices that are responsive to the performance goals that we 
end up with an output that is technically robust, because it draws 
on their expertise, and is aligned with business interests and prac- 
tice. 

This is not a new or novel or approach for NIST. We have uti- 
lized a similar approach in the recent past to address other na- 
tional priorities, including the smart grid and cloud computing. 

Madam Chair, I appreciate the challenge before us. The Execu- 
tive order is very aggressive in the timing for the framework proc- 
ess. It is to be developed within 1 year. The first draft is due in 
120 days. Today marks the halfway point in that process. We have 
issued, in support of this effort, a request for information and have 
gathered input from industry and other stakeholders. We have held 
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the first two of four planned workshops to support this process, and 
we will use these workshops to finalize and develop the framework 
because it is this type of approach that allows us the appropriate 
level of collaboration and engagement with industry. 

In May, we released the initial findings and the early analysis 
from the request for information. That release marks the transition 
from sort of gathering facts to actually building the framework. In 
8 months, we will have an initial draft of the framework, including 
an initial list of standards, guidelines, and practices, and then fol- 
lowing that, we will work with our agency partners to finalize the 
framework. But even after the framework is done, the work is real- 
ly only just beginning. Adoption and use of the framework is going 
to raise new issues to address. The goal at the end of this process 
is for industry to adopt the framework themselves so it becomes an 
ongoing process that enhances cybersecurity. 

The President’s Executive order lays out an urgent and ambi- 
tious agenda, but it is designed around an active collaboration be- 
tween the public and private sectors, and I wholeheartedly believe 
that partnership is the essential ingredient for its success. 

In short, the cybersecurity challenge, both in the dot-gov and in 
the dot-com domain, is greater than it has ever been. Active col- 
laboration among the private sector and between the public and 
private sectors is really the only way we can meet this challenge, 
leveraging both sides’ roles, responsibilities, and capabilities. 

And we have a lot of work, and I look forward to working with 
this committee to make it happen. Thank you. 

[The statement follows:] 

Prepared Statement of Hon. Dr. Patrick D. Gallagher 

Chairwoman Mikulski, Vice Chairman Shelby, members of the committee, I am 
Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and 
Director of the National Institute of Standards and Technology (NIST), a nonregula- 
tory bureau within the U.S. Department of Commerce. I am also currently serving 
as the Acting Deputy Secretary of Commerce. Thank you for this opportunity to tes- 
tify today on NIST’s roles and responsibility for cybersecurity. 

the role of the national institute of standards and technology in 

CYBERSECURITY 

NIST’s overall mission is to promote U.S. innovation and industrial competitive- 
ness by advancing measurement science, standards, and technology in ways that en- 
hance economic security and improve our quality of life. Our work in addressing 
technical challenges related to national priorities has ranged from projects related 
to the Smart Grid and electronic health records to atomic clocks, advanced nano- 
materials, and computer chips. 

In the area of cybersecurity, NIST has worked with Federal agencies, industry, 
and academia since 1972, when it was given the responsibility for the development 
of the Data Encryption Standard. Our role to research, develop and deploy informa- 
tion security standards and technology to protect information systems against 
threats to the confidentiality, integrity and availability of information and services, 
was then strengthened through the Computer Security Act of 1987 and reaffirmed 
through the Federal Information Security Management Act of 2002. 

Consistent with our mission, NIST actively engages with industry, academia, and 
other parts of the Federal Government including the Intelligence Community, and 
with elements of the law enforcement and national security communities. These col- 
laborations inform our efforts in coordinating and prioritizing cybersecurity re- 
search, standards development, standards conformance demonstration and 
cybersecurity education and outreach. 

Our broader work in the areas of information security, trusted networks, and soft- 
ware quality is applicable to a wide variety of users, from small and medium enter- 
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prises to large private and public organizations including agencies of the Federal 
Government and companies involved with critical infrastructure. 

We employ collaborative partnerships with our customers and stakeholders in in- 
dustry, government and academia, to take advantage of their technical and oper- 
ational insights and to leverage the resources of a global community. These collabo- 
rative efforts and our private sector collaborations in particular, are constantly 
being expanded by new initiatives, including in recent years through the National 
Initiative for Cybersecurity Education (NICE), National Strategy for Trusted Identi- 
ties in Cyberspace (NSTIC), the National Cybersecurity Center of Excellence 
(NCCoE), and through development of the Cybersecurity Framework under Execu- 
tive order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.” 

My testimony has four parts today: I’ll discuss the role of NIST in protecting Fed- 
eral information systems; our engagement with industry; our work under the Presi- 
dent’s Executive order; and how our funding supports all of those efforts. 

THE ROLE OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY IN 
PROTECTING FEDERAL INFORMATION SYSTEMS 

The E-Government Act of 2002, Public Law 107-347, recognized the importance 
of information security to the economic and national security interests of the United 
States. Title III of the E-Government Act, known as the Federal Information Secu- 
rity Management Act of 2002 (FISMA), included duties and responsibilities for the 
National Institute of Standards and Technology to develop standards and guidelines 
for Federal information systems. 

The NIST Special Publications (SPs) and Interagency Reports (IRs) provide man- 
agement, operational, and technical security guidelines for Federal agencies and 
cover a broad range of topics such as BIOS management and measurement, key 
management and derivation, media sanitization, electronic authentication, security 
automation, Bluetooth and wireless protocols, incident handling and intrusion detec- 
tion, malware, cloud computing, public key infrastructure, risk assessments, supply 
chain risk management, authentication, access control, security automation and con- 
tinuous monitoring. 

Beyond these documents — which are peer-reviewed throughout industry, govern- 
ment, and academia — NIST conducts workshops, awareness briefings, and outreach 
to ensure comprehension of standards and guidelines, to share ongoing and planned 
activities, and to aid in scoping guidelines in a collaborative, open, and transparent 
manner. 

In support of FISMA implementation, in recent years NIST has strengthened its 
collaboration with the Department of Defense, the Intelligence Community, and the 
Committee on National Security Systems, through the Joint Task Force Trans- 
formation Initiative, which continues to develop key cybersecurity guidelines for pro- 
tecting Federal information and information systems for the Unified Information Se- 
curity Framework. 

This collaboration allows the most broad-based and comprehensive set of safe- 
guards and countermeasures ever developed for information systems. This unified 
framework provides a standardized method for expressing security at all levels, from 
operational implementation to compliance reporting. It allows for an environment 
of information sharing and interconnections among these communities and signifi- 
cantly reduces costs, time, and resources needed for finite sets of systems and ad- 
ministrators to report on cybersecurity to multiple authorities. 

To support agency implementation of cloud technology, NIST has worked with the 
General Services Administration (GSA) to help establish the Federal Risk and Au- 
thorization Management Program (FedRAMP) to identify security assessment re- 
quirements, and prototype a process for approving Third-Party Assessment Organi- 
zations (3PAOs) that demonstrate capability in assessing Cloud Service Provider 
(CSP) information systems for conformance to identified standards and guidelines. 

Given the Department of Homeland Security’s (DHS’s) important role in Federal 
agency cybersecurity, our partnership with DHS informs NIST’s collaborative ef- 
forts. Earlier in the year I signed a Memorandum of Agreement with DHS Under- 
secretary Rand Beers to ensure that our work with industry on cybersecurity stand- 
ards, best practices, and metrics is fully integrated with the information sharing, 
threat analysis, response, and other work of DHS. We believe this will help enable 
a more holistic approach to addressing the complex nature of the challenge facing 
Federal agencies. 
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THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY’S ENGAGEMENT WITH 

INDUSTRY 

It is important to note that the impact of NIST’s activities under FISMA extend 
beyond providing the means to protect Federal IT systems. They provide the 
cybersecurity foundations for the public trust that is essential to our realizing the 
national and global productivity and innovation potential of electronic business and 
its attendant economic benefits. Many organizations voluntarily follow these stand- 
ards and guidelines, reflecting their wide acceptance throughout the world. 

Beyond our responsibilities under FISMA, under the provisions of the National 
Technology Transfer and Advancement Act, Public Law 104-113, and related OMB 
Circular A-119, NIST is tasked with the key role of encouraging and coordinating 
Federal agency use of voluntary consensus standards and participation in the devel- 
opment of relevant standards, as well as promoting coordination between the public 
and private sectors in the development of standards and in conformity assessment 
activities. NIST works with other agencies, such as the State Department, to coordi- 
nate standards issues and priorities with the private sector through consensus 
standards organizations such as the American National Standards Institute (ANSI), 
the International Organization for Standardization (ISO), the Institute of Electrical 
and Electronic Engineers (IEEE), the Internet Engineering Task Force (IETF), and 
the International Telecommunication Union (ITU). 

A partnership with industry to develop, maintain, and implement voluntary con- 
sensus standards related to cybersecurity best practices promotes the interoper- 
ability, security and resiliency of this global infrastructure and makes us all more 
secure. It also allows this infrastructure to evolve in a way that embraces both secu- 
rity and innovation — allowing a market to flourish to create new types of secure 
products for the benefit of all Americans. 

NIST also conducts cybersecurity research and development in areas such as secu- 
rity for Federal mobile environments and techniques for measuring and managing 
security. These efforts focus on improving the cybersecurity of current and future 
information technologies, and on improving the trustworthiness of IT components 
such as claimed identities, data, hardware, and software for networks and devices. 

In addition, NIST recognizes that further development of cybersecurity standards 
will be needed to improve the security and resiliency of critical U.S. information and 
communication infrastructure. The availability of cybersecurity standards and asso- 
ciated conformity assessment schemes is essential to these efforts, which will help 
enhance the deployment of sound security solutions and build trust among those 
creating and those using the solutions throughout the country. 

Additionally, the State of Maryland, Montgomery County, and NIST have jointly 
established tbe National Cybersecurity Center of Excellence (NCCoE), a public-pri- 
vate collaboration for accelerating the widespread adoption of cybersecurity tech- 
nologies. Through the creation of standards-based reference designs, templates, and 
example “builds,” the NCCoE will reduce barriers for companies that see the deploy- 
ment of more secure technologies as too costly, too complicated, or technically infea- 
sible. Reducing these economic, educational, and technical barriers to adoption can 
improve the security posture, and increase tbe competitiveness, of U.S. industry. 

The NCCoE tackles some of the most pressing cybersecurity challenges identified 
by the members of one or more economic sectors. These challenges are then syn- 
thesized into specific “use cases” that include technical details that allow the 
NCCoE to develop an integrated solution based on commercially available tech- 
nology. All of this work is done in an open and collaborative process: the use cases 
are published for public comment on the NCCoE Web site; the solutions are devel- 
oped in collaboration with the private sector, other government agencies, and aca- 
demia; the NCCoE hosts workshops and public meetings to exchange expertise and 
validate the practicality of the solutions under development; and when complete, the 
entire set of material necessary to recreate the NCCoE example solution is made 
available to the public. 

The NCCoE is a unique opportunity that brings together, under one roof, experts 
from industry, government, and academia to develop practical, interoperable, and 
usable cybersecurity solutions. The center collaborates with the private sector pri- 
marily through three channels: 

— A Sector Community of Interest. — Open to the public, with primary participation 
drawn from sector-specific businesses (e.g., healthcare, financial services, en- 
ergy, etc.). 

— National Cybersecurity Excellence Partnership Companies. — U.S. IT and 
cybersecurity companies that have committed to share technology and engineer- 
ing staff with the NCCoE on persistent basis. 
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— Use Case Collaborators . — Companies that are providing a secure technology and 
engineering expertise as a part of an integrated solution for a specific use case. 

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is another 
key area in which NIST engages with industry. Under NSTIC, NIST is working 
with a wide array of stakeholders on creation of an online environment — the “Iden- 
tity Ecosystem” — that addresses the myriad security and convenience problems 
caused by passwords, and allows individuals and organizations to better trust one 
another, with minimized disclosure of personal information. The Identity Ecosystem 
will be a user-centric online environment, supported by a framework of technologies, 
policies, and agreed-upon standards, which will enable individuals to transact busi- 
ness in a way that is more secure, convenient and privacy-enhancing everywhere 
they go online. 

In the Identity Ecosystem, consumers will be able to choose in the marketplace 
from a variety of identity solutions — both private and public — that would issue 
trusted credentials that could be used in lieu of passwords across the Internet. Key 
attributes of the Identity Ecosystem include privacy, convenience, efficiency, ease- 
of-use, security, confidence, innovation, and choice. Creating this Identity Ecosystem 
requires a partnership between the private sector, advocacy groups, public sector 
agencies and others — all of whom are currently working to support NSTIC by col- 
laborating in the privately led Identity Ecosystem Steering Group (IDESG). The re- 
quest continues and expands existing efforts to coordinate Federal activities needed 
to implement NSTIC. 

NIST also supports the continued work under the National Initiative for 
Cybersecurity Education (NICE). As we all know, cybersecurity is much more than 
technological solutions to technical problems; it is also highly dependent on educated 
users who are aware of and routinely employ sound practices when dealing with 
cyberspace. NIST will continue to work with the Federal Government, and with 
State, local, and tribal governments, for improving cybersecurity education. NIST 
will ensure coordination, cooperation, focus, public engagement, technology transfer, 
and sustainability of NICE. NIST works with DHS and other Federal agencies in 
the implementation of the cybersecurity education framework to address national 
cybersecurity awareness, formal cybersecurity education, Federal cybersecurity 
workforce structure, and cybersecurity workforce training and professional develop- 
ment. 

Small businesses face particular cybersecurity challenges, as they tend to have 
more limited resources that must be well applied to meet the most obvious and seri- 
ous threats. The vulnerability of any individual small business may not seem sig- 
nificant, other than to the owner and employees of that business. However, given 
that over 95 percent of all U.S. businesses are small- and medium-size businesses 
(SMBs), a vulnerability common to a large percentage of SMBs poses a threat to 
the Nation’s economic base. SMBs frequently cannot justify an extensive security 
program or a full-time expert. Nonetheless, they confront serious security challenges 
and must address security requirements based on identified needs. 

Cognizant of the needs of SMBs, NIST partners with the Small Business Adminis- 
tration ( SB A) and the Federal Bureau of Investigation’s InfraGard program to spon- 
sor computer security workshops and provide online support for small businesses. 
Through these efforts, experts in computer security are made available to offer 
small business owners an overview of information security threats, vulnerabilities, 
and corresponding protective tools and techniques, with a special emphasis on pro- 
viding useful information that small business personnel can apply directly or use 
to task contractor personnel. 

In fiscal year 2012, NIST, SBA, and the FBI hosted 25 small business information 
security workshops in Oklahoma, Louisiana, Colorado, New Hampshire, Con- 
necticut, Minnesota, Texas, California, Indiana, Ohio, and New Mexico, and pro- 
vided online support to SMBs throughout the United States. 

THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY’S ROLE IN EXECUTIVE 
ORDER 13636, “IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY” 

As you know, on February 13, 2013, the President signed Executive Order 13636, 
“Improving Critical Infrastructure Cybersecurity,” which gave NIST the responsi- 
bility to develop a framework to reduce cyber risks to critical infrastructure (the 
Cybersecurity Framework). As directed in the Executive order, NIST, working with 
industry, will develop the Cybersecurity Framework and the Department of Home- 
land Security (DHS) will establish performance goals. DHS, in coordination with 
sector-specific agencies, will then support the adoption of the Cybersecurity Frame- 
work by owners and operators of critical infrastructure and other interested entities, 
through a voluntary program. NIST is also working closely with partners through- 
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out the interagency — including the Intelligence Community — to ensure that the 
Framework leverages their expertise and role as the Framework is developed. 

A Cybersecurity Framework is an important element in addressing the challenges 
of improving the cybersecurity of our critical infrastructure. A NIST-coordinated and 
industry-led Framework will draw on standards and best practices that industry al- 
ready develops and uses. NIST coordination will ensure that the process is open and 
transparent to all stakeholders, and will ensure a robust technical underpinning to 
the framework. This approach will significantly bolster the relevance of the result- 
ing Framework to industry, making it more appealing for industry to adopt. 

This multi-stakeholder approach leverages the respective strengths of the public 
and private sectors, and helps develop solutions in which both sides will be invested. 
The approach does not dictate solutions to industry, but rather facilitates industry 
coming together to offer and develop solutions that the private sector is best posi- 
tioned to embrace. Any efforts to better protect critical infrastructure need to be 
supported and implemented by the owners and operators of this infrastructure. 

Underlying all of this work, NIST sees its role in developing the Cybersecurity 
Framework as partnering with industry and other stakeholders to help them de- 
velop the Framework. In addition to this critical convening role, our work will be 
to compile and provide guidance on principles that are applicable across the sectors 
for the full range of quickly evolving threats, based on inputs from DHS and other 
agencies. NIST’s unique technical expertise in various aspects of cybersecurity re- 
lated research, technology development and an established track record of working 
with a broad cross-section of industry and government agencies in the development 
of standards and best practices positions us very well to address this significant na- 
tional challenge in a timely and effective manner. 

NIST’s initial steps towards implementing the Executive order included issuing 
a Request for Information (RFI) in February to gather relevant input from industry 
and other stakeholders, and asking stakeholders to participate in the Cybersecurity 
Framework process. NIST is following up the RFI process with continued engage- 
ment with stakeholders through a series of workshops and events to ensure that we 
can cover the breadth of considerations that will be needed to make this national 
priority a success. We have already initiated an aggressive outreach program to 
raise awareness of this issue and begin engaging industry and stakeholders. NIST 
will continue to bring many diverse stakeholders to the table. Last week, a 3-day 
workshop hosted by Carnegie Mellon University in Pittsburgh allowed NIST to en- 
gage with stakeholders to discuss the foundations of the Framework and the initial 
analysis. 

The Executive order requirement for the Framework to be developed within 1 
year, and a preliminary framework due within 8 months gives this task a sense of 
urgency. Throughout the year, you can expect NIST to use its capabilities to gather 
the input needed to develop the Framework. 

In a year’s time, once we have developed an initial Framework, we will continue 
to need to work with DHS, sector-specific agencies, and the specific sectors them- 
selves to build strong voluntary programs for specific critical infrastructure areas. 
Their work will then inform the needs of critical infrastructure and the next 
versions of the Framework. The goal at the end of this process will be for industry 
to take and manage the Cybersecurity Framework — allowing it to evolve when need- 
ed. 

Although this Executive order will help raise the Nation’s cyber defenses, it does 
not eliminate the urgent need for legislation in these and other areas of 
cybersecurity. The administration’s legislative priorities for the 113th Congress 
build upon the President’s 2011 cybersecurity legislative proposal and take into ac- 
count 2 years of public and congressional discourse about how best to improve the 
Nation’s cybersecurity. 

The administration is working toward legislation that: 

— Facilitates cybersecurity information sharing between the Government and the 
private sector as well as among private sector companies. We believe that such 
sharing can occur in ways that protect privacy and civil liberties protections, re- 
inforce the appropriate roles of civilian and intelligence agencies, and include 
targeted liability protections; 

— Incentivizes the adoption of best practices and standards for critical infrastruc- 
ture by complementing the process set forth under the Executive order; 

— Gives law enforcement the tools to fight crime in the digital age; 

— Updates Federal agency network security laws, and codifies DHS’ cybersecurity 
responsibilities; and 

— Creates a national data breach reporting requirement. 

In each of these legislative areas, the right privacy and civil liberties safeguards 
must be incorporated. The administration wants to continue the dialogue with the 
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Congress and stands ready to work with members of Congress to incorporate our 
core priorities to produce cybersecurity information sharing legislation that address- 
es these critical issues. 

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SUPPORT FOR CYBER RESEARCH 

AND DEVELOPMENT 

As highlighted today cybersecurity is a top priority for NIST, which has been re- 
flected in our recent budget requests. In fiscal year 2013 NIST has proposed to in- 
crease cybersecurity spending by §7.5 million with most of this increase supporting 
NIST’s efforts to develop a framework to reduce cyber risks to critical infrastructure 
in support of the EO. In the President’s fiscal year 2014 budget request NIST has 
requested a $24 million increase to its cybersecurity research and development 
(R&D) programs for a total NIST investment in cybersecurity and related efforts of 
$68 million. The requested increases for NIST in fiscal year 2014 will provide addi- 
tional support for NIST’s roles in cyber education, identity management, and will 
support R&D to improve the security and interoperability of our Nation’s cyberspace 
infrastructure, accelerate the development and adoption of cybersecurity standards 
in support of administration priorities, and to support the leading-edge work of the 
National Cybersecurity Center of Excellence (NCCoE). 

CONCLUSION 

The cybersecurity challenge facing critical infrastructure — both in the “dot-gov” 
and the “dot-com” is greater than it ever has been. Active collaboration within the 
public sector, and between the public and private sectors, is the only way to effec- 
tively meet this challenge, leveraging both sectors’ roles, responsibilities, and capa- 
bilities. 

Thank you for the opportunity to present NIST’s views regarding cybersecurity se- 
curity challenges. I appreciate the committee holding this hearing. I look forward 
to working with the committee to help address these pressing challenges. I will be 
pleased to answer any questions you may have. 

Chairwoman Mikulski. Thank you very much, Dr. Gallagher 
and all four witnesses. 

Today the way we will function is we will follow the 5-minute 
rule. We will go in order of arrival. 

We also know that this hearing does not preclude the subcommit- 
tees from also continuing their own hearings where they will even 
probe more deeply. And also, after we have concluded all of our 
questioning, we will also understand that there will be certain as- 
pects — in order to drill down, we will also have an additional classi- 
fied forum this afternoon in the classified section in the Capitol 
Visitor Center. But now we will be in full and open session, not 
precluding further hearings by the subcommittees. 

General Alexander — well, to all, just to reiterate the President’s 
budget, the President has requested $9.2 billion for DOD: $1.2 bil- 
lion, almost $1.3 billion, for DHS; for all of DOJ, including the FBI, 
$589 million; $215 million for Commerce, primarily in NIST; the 
National Science Foundation, $197 million; General Service Admin- 
istration, $50 million; Department of State, $37 million. 

When one hears $13 billion, that is a lot of money. However, we 
are in an enduring war where our citizens are under attack from 
identity theft to State secrets, trade secrets, business secrets, et 
cetera. 

But our question today is, is $13 billion adequate in the various 
areas? Number one. And number two, when we spend the $13 bil- 
lion, will we also avoid the kind of things where — sometimes we 
throw money at a new problem, and often we have what I call 
techno-boondoggles. We have seen it at the FBI in the past. We 
have seen in Homeland Security in the past. We have seen it at 
DOD. So this is what we are doing. 



31 


But let us go right to the President’s request and the purpose. 
As I understand from the administration’s priorities, the adminis- 
tration’s priority — and if you look in the budget statement to us — 
secure the Federal networks, lead by example and make sure our 
networks are safe and secure, protect critical infrastructure, im- 
prove incident response, engage internationally. Number three, 
shape the future. 

General Alexander, you will be getting — if we pass this budget 
where the request is for $9 billion, I understand that $3.5 billion 
will be to protect the DOD network. We understand that. But what 
will you use the other $5.8 billion to do and how will we get secu- 
rity for that dollar and avoid the problems of the past? 

General Alexander. Well, thanks, Senator. It is a lot of money, 
and I can tell you that from our perspective, what we are talking 
about here is not just protecting our networks, but developing the 
forces that we need. So part of that money goes for training and 
outfitting the teams at Cyber Command and our components need. 
Part of that money goes for the information assurance and fixing 
the networks — you hit on part of that — and developing future ar- 
chitectures. 

So when I look at this from my perspective, I believe this is 
right, the right amount. I know the administration and the Defense 
Department has already looked internally to this budget to see 
where we can take cuts, and we did. We cut it back to what we 
thought was the minimum that we could use and still do this job. 

You pointed out, Senator, that for the Defense Department, our 
job is to protect the Nation and our networks and building up the 
infrastructure that we need both within DOD and amongst the 
services and Cyber Command. That is where that $5.8 billion goes. 
So it is split across all those. It does not go to one lump. It helps 
each of the services, Defense Intelligence Agency, and Cyber Com- 
mand do their missions. 

$2.17 billion, as you pointed out and others, goes to NSA for 
doing their job and is part of the intel community’s budget. So that 
is rolled in there as well. 

$582 million goes to U.S. Cyber Command, and that is for five 
key areas: leases for teams, setting up the teams, training our 
teams, starting the military construction to have a place to house 
these teams, for our headquarters, and for research, development, 
training, another $68 million. 

So I think it is the right number. I think we have looked at 
where we could take savings and have done that. I also think it 
is important to state that the Department sees this as an area to 
help ensure the Nation is ready as we look at the rest of our force 
posture. This is going to be key to our future. 

That is all I have, Senator. 

Chairwoman Mikulski. Just a follow-on question. In your testi- 
mony — this goes to protecting critical infrastructure, an obsession 
I think of this committee and something we have concentrated on 
very keenly when we were working on authorizing legislation 
under Lieberman-Collins, or Collins-Lieberman, or now Collins and 
a lot of us. 

But in your testimony, sir, you say from 0 to 10 in our capacity 
to defend our critical infrastructure, you rate us at a 3. A 3. A 3 
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to protect our grid, a 3 to protect our financial services. And my 
question then is of the money that you are getting, I understand 
Homeland Security is supposed to protect us against domestic 
threats. Where do you come in and where does Homeland Security 
come in? And is part of your money also used to do the services 
to support them? 

General Alexander. Well, we do work together, but our mon- 
ies — they are not overlapping in this case, as you point out. 

Specifically, the Defense Department has two sets of roles and 
responsibilities here. One, to build, operate, and defend the DOD 
networks. That is the one responsibility and that is a big cost be- 
cause that is our global forces, and that is the biggest bulk of the 
money that is here. The second part is to develop the teams to de- 
fend the Nation from a cyber attack, and that is where we come 
in. 

Now, we work with DHS. We work with FBI in setting up the 
op centers and funding and supporting those op centers so that we 
can communicate amongst us, but DHS has that responsibility to 
work with industry to set the standards to work recovery and that 
part. FBI has the responsibility to do law enforcement investiga- 
tions. We have the responsibility on the NSA side for the foreign 
intelligence and to defend against an attack. So what we are doing 
is developing the capabilities and the teams. We are still going to 
need legislation to do those operations. 

Chairwoman Mikulski. Well, I could have follow-up, but I want 
to turn to Senator Shelby. 

Senator Shelby. Thank you, Madam Chairman. 

Dr. Gallagher, I will address my first question to you. Since 
NIST has been tasked under the Executive order with developing 
a framework to reduce cyber risk of critical infrastructure, could 
you explain how the NIST process will work, how the development 
of a framework to reduce cyber risk differs from the development 
of standards to reduce such risk? And what do you believe will 
compel private industry, which I think is so important, to imple- 
ment the framework that it has developed? 

And given the evolution of technology, which you are very much 
into, all of you, generally in cyber threats specifically, how useful 
is the development of a broad-based, generic framework long term? 
Will NIST just be chasing its tail, so to speak, or will you be able 
to get ahead of the curve? I would be interested for you to share 
your thoughts here, how the framework and the standards and so 
forth will apply or could apply. 

Dr. Gallagher. Well, thank you very much. 

Senator Shelby. I know that is a mouthful. 

Dr. Gallagher. I am going to do my best. 

The idea behind the framework is very simply to get industry to 
develop a set of practices, standards, methodologies, whatever it 
would take that if implemented would improve cybersecurity per- 
formance. So we used the term “framework” as a term of art to 
refer to whatever you would put into place that would result in en- 
hanced cybersecurity performance. That will include a large meas- 
ure of standards. 

And the idea behind having industry do it, with NIST acting as 
a technical supporting role and a convener, has a couple of motiva- 



33 


tions. First of all, it addresses the capacity. Industry is the one de- 
veloping IT technology and communication technology, and there- 
fore, they know where this technology is going and they can bring 
that skill and that expertise into the process to develop these 
standards. 

Second, this Internet is a global infrastructure, and these compa- 
nies operate at a global scale. And by embedding security perform- 
ance into the products and services themselves, we can, in fact, 
achieve a cybersecurity performance than is much broader than our 
borders, much broader than what we would buy directly. It embeds 
it in the market. It in fact gives our companies the power to shape 
those technologies around the world. 

In terms of chasing our tail, I think in a time when this tech- 
nology is moving so quickly and when the threat environment is 
changing right in front of us, this is going to be an ongoing chal- 
lenge. But I think the bottleneck cannot be NIST. We are simply 
not large enough to support this on our own. Our role really has 
to be viewed as did we help industry come up with a vehicle where 
they can organize and be responsive to this. That is the only way 
sufficient technical capacity can be brought to bear in my view. 

Senator Shelby. Let me pick up on that, if I could. The Execu- 
tive order, as I understand it, discusses the development of a broad 
framework which presumably, I would think, means it will be ge- 
neric in order to have broad applicability to all critical infrastruc- 
ture sectors. But how will, doctor, a generic framework address the 
inherent differences in our critical infrastructure and their unique 
needs for being protected against cyber attacks? In other words, if 
we are not addressing sector-specific needs, how can we be sure 
that we are actually helping to protect any of these industries from 
a cyber attack? 

And last in this same vein, how do you bring industry on board? 
Because they have systems, trade secrets, formulas, everything, 
you name it, to protect and the Government would have to protect 
those and should. How will that work? 

Dr. Gallagher. So you are exactly right. The question you asked 
about industry’s capacity to come together and carry this out is ac- 
tually the central question. How generic and how sector-specific 
this framework looks is, in fact, the exact question that the partici- 
pants in the framework are tackling. 

The good news is that in spite of the strong differences across 
sectors, looking at energy or agriculture or transportation and so 
forth, they are dependent on a core set of communication and IT 
technologies. And one of the big advantages they have to working 
together to set a common platform is that they can drive that per- 
formance into the market and they can buy these computer serv- 
ices and IT equipment at better cost because they are helping to 
shape the entire market. 

And that really gets to one of the questions you raised earlier, 
which is how do you drive adoption of this framework. I think the 
bottom line is doing good cybersecurity has to become good busi- 
ness. In the end, this is all going to be about alignment. These 
framework practices have to be compatible with profitable and well 
run companies. It may very well turn out that the framework dis- 
cussions are more about management and business practices than 
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they are about technical controls, and that is okay if it helps us 
achieve the level of performance we are looking for. 

Senator Shelby. Thank you, Madam Chair. 

Chairwoman Mikulski. Senator Leahy. 

Senator Leahy. Thank you, Madam Chair. 

You know, like most Vermonters, I have had a lot of concern 
about section 215 of the PATRIOT Act, section 702 of the Foreign 
Intelligence Surveillance, the FISA. We have had a number of com- 
mon sense proposals in the Judiciary Committee to improve these 
provisions, but the Intelligence Community has told us that really 
we obviously do not have the ability as simple Senators to know 
anything as well as you do, and so they do not need changes. I am 
told they are critical to our counterterrorism efforts. The Congress 
should not tinker with them at all. We should simply trust you to 
use them the right way, and they should not be made permanent. 

I do not think that is wise. I think that there should be sunset 
provisions, and we should look at them periodically and we should 
actually debate them in a free and open society. 

Now, we have information, recently declassified by the Director 
of National Intelligence, and I am not going into questions of 
whether he contradicted himself on a couple of answers. But taking 
what he has recently declassified, it appears that section 702 collec- 
tion he said was critical to disrupting the Zazi case in New York 
City, but it is not clear that data collected pursuant to 215 of the 
PATRIOT Act was similarly critical or crucial. 

So, General Alexander, let me ask you this. Aside from these two 
cases, has the Intelligence Community kept track of how many 
times phone records obtained through section 215 of the PATRIOT 
Act were critical to discovery and disruption of terrorist threats? 

General Alexander. I do not have those figures today. 

Senator Leahy. Are those figures available? 

General Alexander. We are going to make those figures avail- 
able — 

Senator Leahy. How soon? 

General Alexander. Over the next week, it would be our intent 
to get those figures out. I have talked to the Intel Committee on 
that yesterday. I think it is important to 

Senator Leahy. Wait a minute. You talked to the intel commu- 
nity about this yesterday, but you did not have the figures yester- 
day. 

General Alexander. I gave an approximate number to them in 
a classified 

Senator Leahy. Okay. 

General Alexander. Classified. But it is dozens of terrorist 
events that these have helped prevent. 

Senator Leahy. Okay, so dozens. 

Now, we collect millions and millions and millions of records 
through 215, but dozens of them have proved crucial or critical. 
Right? 

General Alexander. For both here and abroad in disrupting or 
contributing to the disruption of terrorist attacks. 

Senator Leahy. Out of those millions, dozens have been critical. 

General Alexander. That is correct. 
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Senator Leahy. Would you get me the specific — even it has to be 
in classified, the specific cases you are talking about? 

General Alexander. We will, but we are going through the Intel- 
ligence Committee to do this. Tomorrow I will give as clear as we 
have vetted precisely what we have done on each of those. And the 
reason that I want to get this exactly right, Senator, is I want the 
American people to know that we are being transparent in here. 

Senator Leahy. No, no. You are not giving it to the American 
people. You are giving in a classified to specific Members of Con- 
gress. Is that correct? 

General Alexander. Well, there are two parts. We can give the 
classified. That is easy. But I think also for this debate what you 
were asking — and perhaps I misunderstood this, but I think you 
were also asking what we could put out unclassified. And so the 
intent would be to do both. 

Senator Leahy. You can do that within a week? 

General Alexander. That is our intent. I am pushing for that 
and perhaps faster, if I do not get any kicks from behind me. 

Senator Leahy. If you do not get any what? 

General Alexander. Kicks from the people behind me who are 
doing the work because we do want to get this right. And it has 
to be vetted across the community so that what we give you, you 
know, is accurate and we have everybody here, especially between 
the FBI and the rest of the Intelligence Community, who can say 
this is exactly correct. 

Senator Leahy. Now, DNI Clapper said that section 702 collec- 
tion was critical to discovery and disruption of the plot to bomb the 
New York City subway system, the Zazi case. Is that correct? 

General Alexander. That is correct. In fact, not just critical, it 
was the one that developed the lead on it. So I would say it was 
the one that allowed us to know it was happening. 

Senator Leahy. But that is different than section 215. 

General Alexander. That is different than section 215. 

Senator Leahy. 215, phone records; 702 

General Alexander. So if I could, I could explain this. 

Senator Leahy. No, go ahead. 

General Alexander. Because I do think it is important that we 
get this right, and I want the American people to know that we are 
trying to be transparent here, protect civil liberties and privacy, 
but also the security of this country. 

On the New York City one, the Zazi case, it started with a 702 
set of information based on operatives overseas. We saw connec- 
tions into a person in Colorado. That was passed to the FBI. The 
FBI determined who that was, Zazi, and phone numbers that went 
to that. The phone numbers on Zazi were the things that then al- 
lowed us to use the business records, FISA, to go and find out con- 
nections from Zazi to other players throughout the communities, 
specifically in New York City. That is how those two worked to- 
gether. 

Senator Leahy. Was 215 critical? 

General Alexander. I think 215 is critical in corroborating and 
in helping us understand 

Senator Leahy. Was it critical in Zazi ? 
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General Alexander. Not to Zazi because the first part to Zazi 
went to the 702. 

Senator Leahy. And Headley? Was either 702 or 215 critical? 

General Alexander. 702 on Headley and some on the business 
record, FISA, for corroborating. 

And I think it is important to understand because this is an 
issue that I think will be part of the debate. And I would put on 
there, Senator, also the Boston. I think we need to walk through 
that so that what we have on the business record, FISA, what we 
have on 702, what you debate, the facts that we can give you is 
what we do with that, how we tip that to the FBI, if we took that 
away, what we could not do, and is that something that when we 
look at this from a security perspective 

Senator Leahy. Of course, in Boston, if you are talking about the 
marathon case, what the FBI could have done was to pass on the 
information to the Boston authorities. They said they did not. That 
might have been helpful too. 

But my time is up. I mention this only because before it is 
brought up in the Judiciary Committee, we are going to be asking 
some very, very specific questions. 

General Alexander. So if I could, Senator, I just want to make 
sure that we are clear on one point. When I say “dozens”, what I 
am talking about here is that these authorities complement each 
other in helping us identify different terrorist actions and help dis- 
rupt them. They complement each other. So what you are asking 
me is to state unequivocally that A or B contributed solely to that. 
The reality is they work together. And we have got to help make 
that clear to you 

Senator Leahy. And I will be waiting to see those specific exam- 
ples either in open or classified fashion. 

Chairwoman Mikulski. Senator Cochran. 

Senator Cochran. Madam Chair, thank you. 

Let me first ask General Alexander a question. In testimony that 
was received by the Armed Services Committee, there was a dis- 
cussion about how to provide incentives to talented military per- 
sonnel who might be interested in becoming involved in the 
cybersecurity field. I know it is hard to contemplate how you just 
wave a magic wand and have all of the talented people available 
in the right places with the right responsibilities. 

What do you see as a first step in trying to get an infrastructure 
of leadership organized appropriately to carry out these missions? 

General Alexander. Senator, thanks. 

I think the most important part, top to bottom, is the training, 
coming up with a clear training program, which we have done with 
the services and with NSA to develop a set of standards. I think 
the training, in and of itself, helps us build a great cyber force, and 
it is that training for the leaders so we have training at the staff 
officer level, at the team level, all the way down to the individual 
operator. And we are standardizing that training amongst the serv- 
ices and between NSA and Cyber Command. 

I think raising those standards up has a couple of benefits. The 
soldiers, sailors, airmen, marines, and civilians that come into this 
field get great training, and it is something that they look forward 
to. And the operations that they do are significant. I think they 
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really feel good about what they are able to do for our country. So 
from my perspective, it starts with training and building that kind 
of a force. 

You mentioned incentives, Senator, if I could. I think incentives 
is going to play a key part in this. As incentive pay for languages 
plays a key part, I think incentives for our cyber force is also going 
to play a key part. And we have had discussions with the services 
about how to start that. We do not have that in this program yet, 
but that is something that we are looking at. 

Senator Cochran. Does the Department of Defense have the re- 
sources to maintain a number of cyber test ranges across the serv- 
ices and agencies, for training and research purposes? I know you 
carry out exercises that test the compatibility of cyber capabilities 
with conventional weapons and other weapons systems. Could you 
share with the committee what your thoughts are about cyber 
ranges and whether you plan to dedicate certain areas exclusively 
for these purposes? 

General Alexander. Senator, that is a great question and one 
that we are putting a lot of effort into because I do think we need 
to bring the ranges together so that we have a joint approach to 
this. 

One of the things that I would point out is the service academies 
play a cyber defense exercise together, and this gets into your 
range issue. And when you look at so how do you defend your net- 
works in a way — the service academies compete against each other 
for seeing who has the most defensible network. When you think 
about that, in a cyber range what you want people to do is to prac- 
tice their tactics, techniques, and procedures in a sterile environ- 
ment so nothing bad happens. It only happens inside that. They 
can learn. We have seen that on the military side. The National 
Training Center and other things are great places for that. We 
need to do the same here. So those that are defending our networks 
know what the adversaries are going to do and are prepared for all 
those contingencies. It helps raise that. And I think bringing the 
ranges together ensures that they are operating at the right level 
as a joint team. 

Senator Cochran. My staff informed me that last week our com- 
mittee received a notice that about one-half of NSA’s personnel in 
the Cyber Threat Center could be furloughed as a result of seques- 
tration. Now, that is a fine “How do you do?” Has there been any 
attention given to what you are going to do to address shortfalls 
due to sequestration? 

General Alexander. So we have worked this. It is across the De- 
fense Department. So the sequestration for all the military has 
been standardized across all the departments. The NSA — on the in- 
telligence side is not there — but all of Cyber Command — our civil- 
ians will be sequestered. Right now that is an 11-day or 1 day a 
week for the last 11 weeks of the fiscal year. That has a significant 
impact on us and all others that will be furloughed. I think that 
is a key issue and has significant impact on our people. And it goes 
right back to how do you hire good people and then furlough them. 
This is a tough issue that not only we face but the rest of the De- 
partment. 

Senator Cochran. Thank you, Madam Chair. 
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Chairwoman Mikulski. Thank you, Senator Cochran, and thank 
you for raising the sequester issue. It has been raised at the intel 
hearing when we listened to the worldwide threat right as we were 
moving into the continuing funding resolution. DNI Clapper asked 
for more flexibility. Of course, he wanted more money but more 
flexibility. We were precluded by the House from putting that in 
the bill. I think the intel community, which is primarily particu- 
larly a DOD civilian force — you need that flexibility. 

So we look forward to working on both sides of the aisle and both 
sides of the dome to be able to do this. 

I just would like to share with the committee the order. We are 
going to go to Durbin, then Johanns, Merkley, Collins, Tom Udall, 
Senator Coats, Senator Landrieu, and Senator Feinstein, you came 
before the testimony started. So instead of alternating, we will go 
right to you. Then we will go to Senator Boozman and then Senator 
Pryor. That is our order of our lineup. So now it is going to be Dur- 
bin, Johanns, Merkley, Collins. Senator Durbin. 

Senator Durbin. Thank you, Madam Chair. And thanks as well 
to Senator Mikulski for bringing the cyber issue into sharp focus 
for the entire Senate with our bipartisan briefing. 

I was on the Intelligence Committee right at the time of 9/11. I 
saw what happened immediately afterwards. There was a dramatic 
investment in intelligence resources for our Nation to keep us safe 
and a dramatic investment in the personnel to execute the plan to 
keep us safe. 

I trusted — and I still do — that we were hiring the very best, 
trusting them to not only give us their best in terms of knowledge 
but also their loyalty to our country. 

I would like to ask you about one of those employees who is now 
in a Hong Kong hotel, and what we know about him is as follows. 
He was a high school dropout. He was a community college drop- 
out. He had a GED degree. He was injured in training for the U.S. 
Army and had to leave as a result of that. And he took a job as 
a security guard for the NSA in Maryland. Shortly thereafter, he 
took a job for the CIA in what is characterized as IT security in 
the Guardian piece that was published. 

At age 23, he was stationed in an undercover matter overseas for 
the CIA and was given clearance and access to a wide array of clas- 
sified documents. 

At age 25, he went to work for a private contractor and most re- 
cently worked for Booz Allen, another private contractor working 
for our Government. 

I am trying to look at this resume and background. It says he 
ended up earning somewhere between $122,000 and $200,000 a 
year. I am trying to look at the resume background for this indi- 
vidual who had access to this highly classified information at such 
a young age with a limited educational and work experience, part 
of it as a security guard, and ask you if you are troubled that he 
was given that kind of opportunity to be so close to important infor- 
mation that was critical to the security of our Nation. 

General Alexander. I do have concerns about that. Over the 
process, Senator, I have grave concerns over that. The access that 
he had, the process that we did — and those are things that I have 
to look into and fix from my end and across the intel community, 
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Director Clapper said we are going to look across that as well. I 
think those absolutely need to be looked at. 

I would point out that in the IT arena, in the cyber arena, some 
of these folks have tremendous skills to operate networks. That 
was his job for the most part from the 2009/2010 as an IT, a sys- 
tem administrator within those networks. He had great skills in 
that area. 

But the rest of it, you have hit on the head. We do have to go 
back and look at these processes, the oversight on those — we have 
those — where they went wrong and how we fix those. 

Senator Durbin. Let me shift to another topic raised by Senator 
Leahy, section 215. 10 years ago, I first introduced legislation 
known as the SAFE Act. It was a bipartisan bill to reform the PA- 
TRIOT Act. My cosponsors included Senators Chuck Hagel, John 
Kerry, and Barack Obama. My most significant concern with 215 
was that it would be used to obtain sensitive personal information 
of innocent Americans who had no connection to any suspected ter- 
rorism or spy activity. 

When the PATRIOT Act was up for reauthorization in 2005, I 
worked to establish a new standard for 215, and under the stand- 
ard, the FBI would have broad authority to obtain any information, 
even tangentially connected to a suspected terrorist or spy, such as 
the examples you used in the Zazi case. 702 information could have 
led to 215 phone record information on any suspect. But under my 
provision, innocent Americans with no connection to any of these 
activities or suspects would be protected. 

The Republican-controlled Senate approved my reform to 215 
unanimously. However, the Bush administration objected. It was 
removed in the conference committee. 

2009, I tried again with no success to put this protection of inno- 
cent Americans back into the PATRIOT Act. 

Now the cloak has been lifted by media reports that the NSA ob- 
tained phone records of millions of innocent Americans with no 
connection to terrorism. The data includes the numbers of both 
parties to the calls, the location of the callers, the time and dura- 
tion of the calls. I have been briefed on these programs, and I obvi- 
ously will not discuss their details here. But it appears to me the 
Government could obtain the useful information we need to stay 
safe and still protect innocent Americans. 

My question to you is this. Section 215 can be used to obtain, 
“any tangible thing” that could include medical records, Internet 
search records, tax records, credit card records, et cetera. 

Last year, the Government filed 212 section 215 orders. That is 
an increase from 21 such orders in 2009. So clearly, this authority 
is being used for something more than phone records. 

So let me ask you. Do you think section 215 giving you authority 
to secure tangible things could include the categories of information 
that I just listed? 

General Alexander. I do not use those, so I am not aware of 
anything that goes that — that would be outside of NSA. All we use 
this for today is the business records, FISA. 

I would point out — I just want to characterize something that 
you said here. As you know, this was developed — and I agree with 
you. We all had this concern coming out of 9/11. How are we going 
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to protect the Nation? Because we did get intercepts on Midar, but 
we did not know where he was. We did not have the data collected 
to know that he was a bad person. And because he was in the 
United States, the way we treat it is he is a U.S. person. So we 
had no information on that, and if we did not collect that ahead 
of time, we could not make those connections. 

So what we create is a set of data and we put it out here, and 
then only under specific times can we query that data. And as you 
know, Senator, every time we do that, it is auditable by the com- 
mittees, by the Justice Department, by the court, and by the ad- 
ministration. We get oversight from everybody on this. 

Senator Durbin. I am over my time, but here is the point. If you 
knew that a suspect had made a call into area code 312, the city 
of Chicago, it certainly defies logic that you need to collect all of 
the telephone calls made in the 312 area code on the chance that 
one of those persons might be on the other end of the phone. Now, 
if you have a suspected contact, that to me is clear. I want you to 
go after that person. What I am concerned about is the reach be- 
yond that that affects innocent people. 

General Alexander. So we agree at least on that part. 

And the next step, I think, in the debate that we actually need 
to talk about is so what happens if you do not know he is in 312 
yet. And so something happens, and now we say who was he talk- 
ing to. So let us take Midar. You had authorized us to get Midar’s 
phones in California. But Midar was talking to the other four 
teams. Under the business record, FISA, because we had stored 
that data in a database, we now have what we call reasonable, 
articulable suspicion. We could take that number and go backward 
in time and see who he was talking to. And if we saw there were 
four other groups, we would not know who those people were. We 
would only get the numbers. We would say this looks of interest 
and pass that to the FBI. We do not look at the identities of it. We 
only look at the connections. 

Senator Durbin. I am way over time. I am not going to dwell on 
it. 

You have just given a clear illustration where you had specific 
information about telephone contacts, which I do not quarrel with. 
What I quarrel with is collecting all of the information in Cali- 
fornia on telephone records to try to find that specific case. That 
to me seems overly broad. 

Chairwoman Mikulski. Thank you very much. 

Senator Johanns. 

Senator Johanns. General Alexander, I want to talk to you 
about Cyber Command, but Senator Durbin has raised a very in- 
teresting question. And let me just follow up on this. 

Would this lead — the scenario that he has laid out — to a tele- 
phone record search for all of Omaha? Or walk us through that. 

General Alexander. So the methodology would be what is put 
into a secure environment called “detail records.” These are to/from 
records and at a selected time. So we do not know anything that 
is in there. We will not search that unless we have some reason- 
able, articulable suspicion about a terrorist -related organization. If 
we see that, we have to prove that we have that. Then given that, 
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we can now look and say who was this guy talking to in the United 
States and why. 

Senator Johanns. And so you could search across the breadth of 
telephone records. 

General Alexander. All you are looking for on that is so who did 
he talk to. 

Senator Johanns. Yes. 

General Alexander. And so the system just gives us back who 
he was talking to. But if you did not collect it, how do you know 
who he was talking to? And so the issue really becomes if you do 
not have the information — so I do not give you any connections. I 
just give you a number and say, now, find who he is talking to. You 
do not have the information. 

So this was the debate. I mean, you bring it up because this 
came up 10 years ago. So how do we do that? How do we solve this 
problem? And the answer was we want to protect civil liberties and 
privacy. We do. And we want to protect the country. So the thought 
was a reasonable approach that we all agreed on — the Congress, 
the courts, the administration — was we will put this in a way that 
we have tremendous oversight by the court. And so every time your 
people, a small set of those, can go in, they have to have a reason 
to go in and look at the data. And when they get something out, 
they have to look at it and say does this meet the reporting guide- 
lines and put that in the report. Only a few reports a year go out 
on that, just a handful — handfuls. 

Senator Johanns. Does this extend beyond telephone records? 
For example, could you check and see what that person is 
Googling? Could you check and see who that person is e-mailing? 

General Alexander. So there are two parts of your question 
here. 

So going to the next step, once we identify a person of interest, 
then it goes to the FBI. The FBI will then look at that and say 
what more do we need to now look at that individual themselves. 
So there are issues and things that they would then look at if 
passed to them. 

Senator Johanns. So the answer to the question is yes. 

General Alexander. Yes, you could. I mean, you can get a court 
order to do that. So in either case 

Senator Johanns. But would that take a court order? 

General Alexander. It would. To do any kind of search in these 
areas on a U.S. person, you have to have a court order. 

Senator Johanns. So now you have gotten into phone records. 
You have gotten into who they might be Googling. You have gotten 
who they might be e-mailing. What else do you feel that you can 
get? 

General Alexander. So I am not sure of your question. On a ter- 
rorist acting in the United States 

Senator Johanns. Well, you do not know if it is a terrorist yet. 
You have got this reasonable suspicion, which is not even probable 
cause. You have just got this kind of uneasy notion, this feeling 
that something is happening here. 

General Alexander. So that is the 

Chairwoman Mikulski. Wait, wait. Let us just stop here a 
minute. We are not going to inhibit your questions, but I think we 



42 


need to clarify that the activity in which you are operating, Gen- 
eral Alexander — so we are getting into probable cause, a lot of 
these that are absolutely important in a debate. But you will be 
functioning also with a warrant. 

Senator Feinstein, did you want to clarify? Just if we could. 

Senator Feinstein. If I may. 

Chairwoman Mikulski. And I am going to come back and give 
you more time. Senator Johanns, you will get more time. 

Senator Johanns. Thank you. 

Senator Feinstein. If I may quickly, Senator. 

It is my understanding you have the metadata. You have the 
records of what appears on a phone bill, and if you want to go to 
the content, then you have to get a court order, the same thing you 
would do in a criminal case. You would have to get a court order 
that would permit you to collect the content of the call. You can 
ask him if that is right or wrong. 

General Alexander. But it is correct. 

Senator Johanns. And I assume that, but I am not talking about 
content at this point. I am not asking if you can read somebody’s 
emails. I am assuming at some point there would be a legal stand- 
ard by which you could do that. Being a lawyer, I know that. 

What I am only getting to is you have identified for us that you 
can get phone contacts. I am asking can you get Google contacts. 
Can you get e-mail contacts? I am not talking about reading the 
e-mail or seeing what they are saying back and forth. I am not at 
that point. But what I worry about is how far do you believe this 
authority extends. Can you get Google contacts? Can you get e-mail 
contacts? Again, I am not asking about reading the e-mail. 

General Alexander. So I think there are a couple things here 
that I want to make sure that we have got. 

The BR-FISA only talks about phone contacts, phone metadata. 
That is all that program talks about. So any program that we 
have — and Senator Feinstein, if you want to get the content, you 
would have to get a court order. In any of these programs, you 
know we have court orders for doing that, with oversight by the 
Congress, by the courts, and by the administration. 

So my concern in all of this is that I think this is an area where 
we have to give you both the detail — and I think we need this for 
the American people. They need to understand it so they can see 
what we are doing and what the results of it are. I do think that 
is important. 

I also believe — you know, we had this debate several times — and 
Senator Durbin brought it up — from 2001 on. And this is one now 
where we need to bring out, because of these leaks, the rest of the 
story, show what we do, what it protects the country from, and 
have the debate. Does it make sense? In order to do that, I think 
what we have to give you is the rest of that data. Tomorrow we 
will put that in a classified session, but the intent would be to try 
to get as much out publicly so that everybody has the information, 
where we can. 

And the reason that I hesitate a little bit here is I do not want 
to make the mistake that causes the statements that I have for our 
country to lose some form of protection and we get hit with a ter- 
rorist attack because I made that mistake. 
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Senator Johanns. And I thank the Chair for the additional time. 
I will wrap up with a comment. 

The concern here — the American public is fearful that in this 
massive amount of data you get, that there is the ability of the 
Federal Government to synthesize that data and learn something 
more than maybe what was ever contemplated by the PATRIOT 
Act. That would be number one. 

The second thing is a more personal issue, and it kind of gets 
into some of the concerns about Cyber Command. And that is, you 
are in this hugely unique role. We have always had this view of 
separating the civilian leadership politically elected from the mili- 
tary leadership, and yet you have got this dual hat. And it creates 
a concern not about you because you have got a remarkable record, 
and I thank you for your service. But it is a very, very concerning 
role that we find you in, at least for Mike Johanns. And I just 
think we have got to get some information out to the public be- 
cause right now we are all getting bombarded with questions that 
many of us at the rank and file level in the Senate cannot answer. 
I am not the chair of the Intelligence Committee. I am not the 
ranking member. I do not serve on the committee. And the impres- 
sion has been created that people are parked in our office giving 
us daily briefings on this or monthly briefings and that has not 
been the case. So we need to know. 

Chairwoman Mikulski. Senator Johanns, I think you had an ex- 
cellent line of questioning, and I must say the tone and demeanor 
are appreciated. 

Senator Johanns. Thank you. 

Chairwoman Mikulski. And, General Alexander, we are going to 
move on from this topic. I think you have that. Senator Merkley 
has been waiting. What we are now moving into is a domain that 
is not the parameters of this hearing, though this Senator will not 
inhibit any Senator from asking any question they want. 

I want to remind the Senators that tomorrow in the Feinstein 
hearing, many of these can be followed and I hope it is a learning 
experience that when you go to Feinstein, your questions will even 
be as cogent and comprehensive as they are here today. 

So, Senator Merkley, we are going to turn to you now. 

Senator Merkley. Thank you very much, Madam Chair. 

And thank you, General. You referred to section 215, and 215 re- 
quires an application for production of any tangible thing. And it 
says in it that this application must have a statement of facts 
showing reasonable grounds that the tangible things sought are 
relevant to an authorized investigation. So we have several stand- 
ards of law embedded in this application, a statement of facts, rea- 
sonable grounds, tangible things that are relevant to an authorized 
investigation. 

Now, as it has been described in this conversation and in the 
press, the standard for collecting phone records on Americans is 
now all phone records all the time all across America. How do we 
get from the reasonable grounds, relevant authorized investigation, 
statement of facts to all phone records all the time, all locations? 
How do you make that transition and how has the standard of the 
law been met? 
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General Alexander. Well, so this is what we have to deal with 
the court, and I think that we go through this court process. It is 
a very deliberate process where we meet all of those portions of 
215. We lay out for the court what we are going to do, and to meet 
that portion that you just said, the answer is we do not get to look 
at the data. We do not get to swim through the data. 

Senator Merkley. Let me stop you there because these are re- 
quirements to acquire the data, not to analyze the data, to acquire 
the data. This is the application to acquire the data. 

So here I have my Verizon phone, my cell phone. What author- 
ized investigation gave you the grounds for acquiring my cell phone 
data? 

General Alexander. I want to make sure I get this exactly right. 
You know, I think on the legal standards and stuff, on this part 
here, I think we need to get the Department of Justice and others 
because it is a complex area. And you are asking a specific ques- 
tion. I do not want to shirk that, but I want to make sure I get 
it exactly right. And so I do think what we should do, as part of 
perhaps the closed hearing tomorrow, walk through that with the 
intent of taking what you have asked and seeing if we can get it 
declassified and out to the American people so they see exactly how 
we do it because I do think that should be answered. 

Senator Merkley. General, thank you. Let me fill in the middle 
piece here. In between 

Chairwoman Mikulski. Senator Merkley, I would like to help 
you out. I think Senator Merkley has asked an excellent question, 
and you want to get it right. And the answer, I would suggest, 
should be in writing. That way you get it right and he gets his an- 
swer. How does that sound? 

General Alexander. We will take that for the record. 

Senator Feinstein. If you will yield. I have asked that that ques- 
tion get answered tomorrow at the hearing by DOJ, Senator 
Merkley, exactly as you have delivered the question. 

Chairwoman Mikulski. Okay. But either way, Senator Merkley 
should get his answer, and I would suggest perhaps both in writ- 
ing, your hearing, and into his hands. 

Senator Merkley. I thank the Chair, both chairs. 

If I can elaborate on the piece that I would like answered, is that 
okay, Madam Chair? 

Chairwoman Mikulski. It is your time. 

Senator Merkley. In between these two pieces, a FISA court 
gives an interpretation of the plain language of the law. Their in- 
terpretation is what translates the standards in the law into what 
is governable in terms of what you can do. 

I had an amendment last December that said these findings of 
law that translate the requirements that are in the law into what 
is permissible needs to be declassified so we can have the debate. 

I believe that what you just said is you want that information 
to be declassified that explains how you get from these standards 
of law to the conduct that has now been presented publicly. Did I 
catch that right? And do you support the standards of law, the in- 
terpretations of the FISA court of the plain language to be set be- 
fore the American people so we can have this debate? 
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General Alexander. I think that makes sense. I am not the only 
decisionmaker in the administration on this process. So there are 
two issues. I am not equivocating. I just want to make sure that 
I have put this expectation exactly right, and that is I do not want 
to jeopardize the security of Americans by making a mistake and 
saying, yes, we are going to do all that. But the intent is to get the 
transparency there. 

So, Senator, I will work hard to do that, and if I cannot do that, 
I will come back to you and tell you why and then we should have 
that discussion and run it out. And I would defer to the chair of 
the Intel Committee, but I think that is reasonable to get this out. 

Now, having said that, I do not have the legal background that 
perhaps you have in this area. I want this debate out there for a 
couple reasons. I think what we are doing to protect American citi- 
zens here is the right thing. Our agency takes great pride in pro- 
tecting this Nation and our civil liberties and privacy and doing it 
in partnership with this committee, with this Congress, and with 
the courts. We have everybody there. We are not trying to hide it. 
We are trying to protect America. So we need your help in doing 
that. This is not something that is just NSA or the administration 
doing it on its own. This is what we — that our Nation expects our 
Government to do for us. So we ought to have that debate. We 
ought to put it out there and we have got to put those two together. 
So I just want to put that one caveat there, and if I can make it 
happen, I will. 

Senator Merkley. General, I thank you for your expression of 
support. 

I also want to thank Chair Feinstein who helped develop and 
sent a letter expressing this concern about the secrecy of the inter- 
pretations of the FISA court. I do think it is time that that become 
understandable in public because otherwise how in a democracy do 
you have a debate if you do not know what the plain language 
means. I do have concerns about that translation. I will continue 
this conversation and thank you. 

Chairwoman Mikulski. Senator Collins. 

Senator Collins. Thank you, Madam Chairman. 

Madam Chairman, I am actually going to ask a question about 
computer security, but before I do so, I do want to give General Al- 
exander a chance to answer a very quick question that has to do 
with Americans’ concern about their own private computer security 
and privacy. 

I saw an interview in which Mr. Snowden claimed that due to 
his position at NSA, he could tap into virtually any Americans’ 
phone calls or emails. True or false? 

General Alexander. False. I know of no way to do that. 

Senator Collins. Thank you. I just wanted to clarify that be- 
cause perhaps that is one issue we could put to rest. 

Now let me switch to the computer security question. 

Chairwoman Mikulski. Oh, boy. 

General Alexander. We are not ready for those. 

CRITICAL infrastructure: incidents reporting 

Senator Collins. In the President’s budget, it is mentioned that 
the Nation has four top cyber risks, and the first one listed is one 
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that has been of great concern to me since we produced the bill last 
year that, unfortunately, could not get past a filibuster, and that 
is attacks that are aimed at our critical infrastructure. And Sec- 
retary Beers, I am going to ask you this question. 

The General has alluded to the fact that much of our critical in- 
frastructure is owned or operated by the private sector. In fact, it 
is 85 percent that is in the private sector. And our FBI witness has 
talked about the iGuardian program which encourages private in- 
dustry partners to report cyber incidents to the Government in real 
time. 

Our legislation last year had a requirement that the owners and 
operators of critical infrastructure — not all infrastructure, critical 
infrastructure — would be required to report major cybersecurity in- 
cidents. Does the administration still support mandatory reporting 
in such cases? 

Mr. Beers. Senator, that was our position then and that remains 
our position at this point in time. Obviously, we are prepared to 
work with the Congress. You all ultimately write the legislation. 
But that remains the administration’s position. 

Senator Collins. Thank you. 

In that legislation, we did pay attention to the need for a more 
expert cyber workforce, and boy, this latest account, which Senator 
Durbin did such a great job of going through the resume of this in- 
dividual, just underscores how much work there is to be done in 
making sure that whether it is public sector or private sector, that 
we have a well vetted, well qualified cyber workforce. 

I would like to hear from all four of you on whether you are hav- 
ing difficulties in recruiting individuals who have the skills that 
you need and doing the appropriate vetting of them so that we can 
avoid having the hiring of a young high school dropout, community 
college dropout, did not complete his military service, young person 
with so little experience being given access to so much classified in- 
formation. And, General Alexander, we will start with you and 
then just go down the panel. 

General Alexander. Well, Senator, I would just like to state first 
that in the military, we are going to hire young folks out of high 
school, who graduate from high school, to work in this area. And 
the key will be the training that we give them. 

Now, ideally we would like to get 4 years out of a top-notch engi- 
neering school for some of the military positions, but we will not 
get that. So what we have is a responsibility to train them, bring 
them into the force and train them. And we have a program, but 
it takes several years to get somebody trained in this area, as you 
know. So in effect, what we are running is a cyber college for many 
of our young enlisted folks to get them to the requisite skills. 

On the NSA side, we are able to hire more college graduates into 
the Government side of that. 

What I need I think is greater scrutiny. What I need to go back 
and look at is what am I getting with my contract support and 
what are their capabilities and how do we manage that from a Gov- 
ernment perspective. So that is something I have concerns about 
and I have got to go back and address. 
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QUALIFIED WORKFORCE: RECRUITING AND RETAINING 

Senator Collins. Secretary Beers. 

Mr. Beers. Senator, we have a major initiative underway, as you 
are well aware. We have defined our cyber workforce. We are 
matching the positions with the skill set that is required to serve 
in those positions. We are also in the process of looking to hire an- 
other 600 individuals to augment that 1,500-person workforce. We 
have a series of programs, one with community colleges where we 
are looking to find people who have taken the correct, appropriate 
courses at the community college level who we can hire as begin- 
ning workforce members and train them up. We also have a pro- 
gram in conjunction with NS A that goes to colleges and univer- 
sities that have Centers for Excellence that provide us with top- 
notch 4-year graduates. And then we have an effort to reach out 
to the private sector to find individuals there. 

I think we have an excellent workforce, but we have, as you well 
know, a provision that was in the bill that you worked on 

Senator Collins. Correct. 

Mr. Beers [continuing]. And that we would like to see in any 
cyber legislation that gives us some assistance in terms of both re- 
cruiting and retaining that kind of a workforce which would allow 
us comparable pay and benefits to what NSA is able to offer to its 
workforce. 

Thank you. 

Senator Collins. Thank you. I know my time has expired. So I 
am going to ask the other two witnesses to submit their answers 
for the record. 

But I thank the whole workforce issue is absolutely critical. We 
did have that as an important part of our bill last year. 

Thank you, Madam Chairman. 

Chairwoman Mikulski. I think you are absolutely right, Senator 
Collins, and thank you for asking a question actually on the topic, 
though it is our security. 

And we are going to turn now to Senator Udall, but just to add 
to that, as we go to Senator Udall, we keep hearing Snowden had 
the skills. Well, maybe he did. You know, but just because you are 
a swimmer and you are a champion swimmer does not mean we 
ought to make you a Navy SEAL. So I will leave it at that. 

Senator Udall. 

Senator Udall. Thank you, Madam Chair, and I thank the en- 
tire panel for their service to the country in these very difficult 
times. 

First, I would like to welcome Dr. Pat Gallagher. Although his 
career took him away from Albuquerque, Dr. Gallagher is a native 
of New Mexico, and I want to recognize him for his leadership at 
NIST and his commitment to public service. Pat, it is good to have 
you here today. 

American citizens, businesses, and Government agencies face se- 
rious cyber threats, and you have talked about some of these here 
today. Personal data, trade secrets, and national security secrets 
are at risk from intrusion by independent hackers and foreign gov- 
ernments. And I have supported cybersecurity legislation in the 
Senate, and I support funding for our cybersecurity defense. 
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But the elephant in the room today here is — and we have been 
talking about it some — that many Americans are also becoming 
more concerned about what their own Government is doing with 
domestic surveillance. Last week, we learned of widespread collec- 
tion of Americans’ phone records under section 215 of the PA- 
TRIOT Act, also the massive-scale online surveillance through the 
PRISM system conducted under FISA section 702. 

I want to let you know, I voted against the PATRIOT Act in 2001 
and the FISA Amendment Act in 2008. I have also voted against 
their reauthorizations since then. Several of us attempted to add 
privacy protections to these laws but faced strong resistance, as 
Senator Durbin indicated. 

Today I am sending a bipartisan letter to the Privacy and Civil 
Liberties Oversight Board asking them to make it a priority to in- 
vestigate the bulk phone records collection and the PRISM program 
to determine whether they, number one, are conducted within the 
statutory authority granted by Congress and, number two, take the 
necessary precautions to protect the privacy and civil liberties of 
American citizens under the Constitution. 

The Board was created by the Congress based on a recommenda- 
tion of the 9/11 Commission, but it has taken years — many of you 
realize this and know this — to get a full membership and a chair- 
man. I have been working to get this Board operational since I was 
in the House, and I believe it can provide an important check 
against civil liberties abuses. 

Richard Clarke, who was the counterterrorism aide under three 
Presidents I believe, just wrote an article recently on this and sug- 
gested we would not have the problems today if we had stood up 
this Board much more quickly. 

General Alexander, will the NS A cooperate with any investiga- 
tion conducted by the Privacy and Civil Liberties Oversight Board 
into the agency’s collection and analysis programs? 

General Alexander. Senator, we will. And I think, in fact, my 
Deputy met with the Board yesterday and actually briefed them for 
a couple of hours on both programs so that they understood. And 
I do not know if you have gotten feedback from that, but my under- 
standing is I think it went well. 

I think you bring up a very important point here because I do 
think what we are doing does protect Americans’ civil liberties and 
privacy. The issue is to date we have not been able to explain it 
because it is classified. So that issue is something that we are 
wrestling with. How do we explain this and still keep this Nation 
secure? That is the issue that we have in front of us. 

So you know that this was something that was debated vigor- 
ously in the Congress, both the House and the Senate, within the 
administration and now works for the court. So when you look at 
this, this is not us doing something under the covers. This is what 
we are doing on behalf of all of us for the good of this country. Now 
what we need to do, I think, is to bring as many facts as we can 
out to the American people. 

So I agree with you, but I just want to make that clear because 
the perspective is that we are trying to hide something because we 
did something wrong. We are not. We want to tell you what we are 
doing and tell you that it is right and let the American people see 
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this. I think that is important, but I do not want to jeopardize the 
security of our country or our allies. So that is what we have to 
weigh in what we look at what we are going to declassify to allow 
this very public debate. 

Senator Udall. General, I very much appreciate your answer, 
but it is very, very difficult, I think, to have a transparent debate 
about secret programs approved by a secret court issuing secret 
court orders based on secret interpretations of the law. 

I know there are many other questions here, and I am going to 
ask the ones in closed session when we get together later in the 
week. I have several other questions on cybersecurity, but I see my 
time has expired and so I will submit those for the record. 

But thank you very much for your answers, and I very much ap- 
preciate you meeting with the Board and briefing them on what 
you are doing. I think that they are a good counterbalance in terms 
of what is going on here in terms of asking questions and then 
being able to, I hope, have the credibility of the American people 
to answer some of these questions also. Thank you. 

Thank you, Madam Chair. 

Chairwoman Mikulski. We are now going to turn to Senator 
Coats, but before we do, I want to respond to a Tweet about me 
from Rosie Gray. Rosie Gray said on her Tweet 17 minutes ago, 
“Senator Barb is trying hard to keep the other Senators from ask- 
ing General Alexander any more about data mining programs. Not 
everybody might be watching C-SPAN.” So I want to say to Rosie 
and to others who might read from Rosie there is no attempt here 
to muzzle, stifle any Senator from asking any line of questions. 

And so we have an open hearing, but the purpose of the hearing 
was on the enduring war of cybersecurity. While we might be con- 
cerned about data mining and who is reading our — the phone 
records, et cetera, we are also concerned about stealing the — the 
cyber fraud that is going on against our senior citizens, our identity 
theft, stealing our cures for cancer that are pending over at the 
Food and Drug Administration (FDA). So we are here on cyber. But 
any Senator can ask any question at this hearing that they want 
to. 

So, Rosie, it is an open hearing. “Hi.” Look forward to keeping 
in touch. 

Senator Coats. 

Senator Coats. Well, I want to send a message to Rosie also. 

As a member of the other party, Senator Mikulski, chairwoman 
of this committee, has been extremely tolerant of our diversion 
from what the purpose of this appropriations hearing was. This is 
the Appropriations Committee. Our purpose is to determine what 
kind of financial resources our agencies need to address critical 
issues facing our country, and we have diverted, thanks to the tol- 
erance of the Chair, to a critical question but one that, as General 
Alexander said, is scheduled to be and will be thoroughly discussed 
with every Member of Congress and with the public to the extent 
that is possible. 

General, I appreciate your answer to Senator Udall’s last ques- 
tion. You are walking a very difficult tightrope here because there 
are demands that you release previously classified information to 
not just Members of Congress, but to the general public. And if you 
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do not do that, this frenzy of mischaracterization of these programs 
will continue in the public. And so you are caught between a rock 
and a hard place. I regret that. 

I have been urging my colleagues that before they draw a conclu- 
sion and go public with that conclusion, they first learn about the 
counterterrorism program because the more you learn about the 
program, the more you realize the enormous effort that has been 
made to respect the privacy and civil liberties of Americans and the 
hurdles you have to go through to get the most minimal list of in- 
formation. 

I think as the public hears more mischaracterizations of this pro- 
gram, like the government listens to and saves all the phone 
records all the time and the public interprets that as meaning ev- 
erything that has been said over a phone is stored somewhere and 
you can go in and retrieve it or abuse the use of these programs. 
You have tried to clarify the program a number of different times 
in terms of what you collect and what you do not collect and how 
you have to go through a legal process in order to even begin to 
ascertain information that is necessary for you to come to some 
conclusion about whether or not this country is about to be at- 
tacked by terrorists. 

Well, let me ask you this question. Given the fact that this issue 
has swept across the country and we are in a position where we 
have to disclose more about it in order to calm the public 
misperception of what it is, are there consequences? Do we have to 
look at both sides of this question, one, being transparent, address- 
ing civil liberties but, two, the importance of keeping some mis- 
sions and some activities in a classified manner so that those that 
are intending to do us harm do not learn about our counterter- 
rorism efforts and therefore make adjustments to bypass the very 
methods that we have to potentially prevent a serious attack 
against the United States? 

I would like you to address that question, particularly in rela- 
tionship to what you have said about 9/11 and how perhaps if we 
had had these programs in place at the time, we could have pre- 
vented that, and a little bit more about the consequences of — as 
some have suggested — simply opening this up for the whole world, 
including people sitting in places where they are trying to deter- 
mine how they can best attack the United States. 

General Alexander. Senator, thank you for the question because 
that is my concern. Great harm has already been done by opening 
this up, and the consequence I believe is our security is jeopard- 
ized. There is no doubt in my mind that we will lose capabilities 
as a result of this and that not only the United States but those 
allies that we have helped will no longer be as safe as they were 
2 weeks ago. So I am really concerned about that. 

I am also concerned that as we go forward, we now know that 
some of this has been released. So what does it make sense to ex- 
plain to the American people so they have confidence that their 
Government is doing the right thing? Because I believe we are and 
we have to show them that. And you said it right. We have great 
people working under extremely difficult conditions to ensure the 
security of this Nation and protect our civil liberties and privacy. 
They do a great job. Actually I would like the American people to 
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know that because they would be tremendously proud of the men 
and women of NSA who have done this for us for the last decade. 
It is a great story. 

The issue is that we then have to debate is how much do we give 
out and what does that do to our future security. That is where the 
real debate is going to take place because that is the issue that is 
now before us. There is water, broken glass, and everything else on 
the floor. We now can look at that, but what we are going to have 
to do as a Nation going forward is say what can we do, and that 
is where the Congress, I believe, has to stand up on behalf of the 
American people. 

Some of these are still going to be classified and should be be- 
cause if we tell the terrorists every way that we are going to track 
them, they will get through and Americans will die. That is wrong. 
And our allies. We have got to come up with a way of doing this. 

And you know, I thought the great part about this program was 
that we brought the Congress, the administration, and the courts 
all together. We did that. That is what our Government stands for 
under the same Constitution. We follow that Constitution. We 
swear an oath to it. 

So I am concerned and I think we have to balance that. I would 
rather take a public beating and people think I am hiding some- 
thing than to jeopardize the security of this country. 

Now, having said that, some of this is out there, and it is right 
that we have that debate. And so what makes sense to put out 
there so that people will know that what we are doing is right, we 
ought to do that. And I think that part will be good for the country. 

And there are other parts that I think you need to weigh in and 
say, but do not do that. And that is where you, the administration, 
and potentially the courts ought to come together and say, so now 
what do we do. 

Chairwoman Mikulski. Thank you. 

Senator Coats. Thank you. I appreciate that statement and I 
think it should be made in the record and published across the Na- 
tion. 

Chairwoman Mikulski. Senator Landrieu. 

Senator Landrieu. Thank you so much. 

I would like to follow up by saying, General Alexander, I am so 
proud of you for being in charge of this because your demeanor 
through this whole hearing has, once again, proven to me that you 
are the right person for this job, and the four stars that you wear 
indicate a great understanding of the balance that you are trying 
to achieve. 

Perhaps these facts might support what Senator Coats and oth- 
ers have been trying to express, given the important, but difficult 
questioning. 

U.S. Cyber Command says there are 250,000 attacks on U.S. 
Government networks every hour, 6 million a day. And among the 
attackers are 140 foreign spy organizations. This is what our men 
and women are up against. We are not in a scrimmage. We are in 
a war. It is a very serious issue, and we are way behind the eight 
ball in my view in terms of allocation of resources, as much as we 
are struggling to clarify roles and responsibilities and balance this 
new war that we have never fought before under a Constitution 
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that is probably the best and most open in the world. I think they 
need a little space. 

Second, I have every confidence in this chairman to provide lead- 
ership. This hearing is one of the best hearings, Madam Chair, I 
have ever participated in in the almost 18 years I have been here. 
I thank you for it. 

And I have great confidence in Senator Feinstein. I do not think 
there is a Member of the Senate in either party that would ques- 
tion her integrity on this issue as head of our Intelligence Com- 
mittee trying to balance the civil liberties representing the State of 
California, which probably has the strongest views on this of any 
State, and the military which has been engaged in war since the 
beginning of time but never one like this. 

So I just want to say I am very proud of our military and very 
proud of you, General Alexander. And I hope that in the classified 
hearing that more of this can be brought to light. And I most cer- 
tainly am going to be explaining this to my constituents in an ap- 
propriate, balanced way. 

CRITICAL INFRASTRUCTURE: CYBERSECURITY IMPROVEMENTS 

But I want to say one other thing to you, Mr. Beers. Your staff 
is terrific. They briefed me privately yesterday on several briefings. 
I want to share this and then ask a question. 

When I asked them to sort of describe the scope of cybersecurity 
and the challenge before us, they said, well, Senator, somebody has 
described it like this. They said the DOD is dot-mil. It is the Coke 
bottle cap. You think about a Coke bottle. It is just the cap of the 
Coke bottle. The Federal civilian Government, which is dot-gov, is 
like the Coke bottle itself, and the companies and citizens, which 
is dot-com, is the entire room the bottle is in. So while all the ques- 
tions are being peppered right now to the top of this Coke bottle, 
Madam Chair, the room that we are in is the battleground that we 
are fighting in. And it takes huge resources and an unbelievable 
amount of commitment and compromise between the Government 
and the private sector. 

So what I want to ask the Secretary of Homeland, since that is 
my — and I am very proud to be the chair of the subcommittee. 
When the President issued his Executive order on improving crit- 
ical infrastructure cybersecurity, it requires not only you, Mr. Sec- 
retary, but Commerce — Treasury is not here — to come up with a re- 
port. That report is actually due today. It is 120 days from it. Do 
you have the report? Can you comment about, if you do not have 
it, when you are going to have it and one or two of the top findings 
in that report that you are going to be giving to the Congress I 
hope sometime soon? 

Mr. Beers. Senator, yes, the report is done. The report has been 
sent to the Office of Management and Budget (OMB) and the 
White House. I trust that Commerce and Treasury have also sub- 
mitted their report on incentives. It will be subjected by OMB to 
an interagency process, and at the end of the process, the expecta- 
tion is to release it to you all and the private sector for comment. 

What we want out of this is to pull together — and we have had 
workshops to talk about incentives. We had one — what — last week 
in Pittsburgh to draw in the private sector to give us their ideas 



53 


about incentives to have critical infrastructure adopt the 
cybersecurity framework. 

That report will cover such things as insurance as a possibility. 
It will cover such things as certification with some liability protec- 
tions as a possibility. These are all still ideas that are in a forma- 
tive stage, and I do not think it is appropriate at this point to make 
those initial reports public. But the intention of the administration 
is to make those reports public to you, the Congress, and to the pri- 
vate sector. 

Chairwoman Mikulski. But not because they are secret. It is be- 
cause they are incomplete. Is that correct? 

Mr. Beers. Yes, ma’am. That is correct. What we need to make 
sure is that everybody who has a stake in this in the Government 
has an opportunity to comment on it and then to get it back out 
to you and the private sector. 

Senator Landrieu. My time is up. And I am going to ask General 
Alexander in writing what his view is of the goal of the National 
Guard in cybersecurity for the Nation. You know, they play a very 
interesting role in our States. I have written you several times 
about it. I am going to write again to clarify their role. 

And finally, for the record, to follow up on Senator Collins, the 
Department of Homeland Security under your leadership, Sec- 
retary, has awarded a $300,000 grant to the Cyber Innovation Cen- 
ter in Louisiana which is starting a very scalable and proven model 
to create the cyber warriors of the future. And I look forward to 
talking with you more about that in conjunction with the chairman. 

Chairwoman Mikulski. Thank you, Senator Landrieu. You, as 
the chair of the Homeland Security Subcommittee, along with Sen- 
ator Coats, who is your ranking member I believe — I really would 
hope you would do your due diligence in getting ready for the bill — 
pursue this topic because we covered a lot of topics today. But we 
really count on you in the homeland security area. 

Senator Feinstein. 

Senator Feinstein. Thanks very much, Madam Chairman, and 
thank you for holding this hearing, and I thank all our witnesses 
for their service to our country. 

Just to be corrected, if I need to be corrected, I would like to just 
quickly read my understanding of section 215. 

The section 215 business records provision was created in 2001 
in the PATRIOT Act for tangible things, hotel records, credit card 
statements, et cetera, things that are not phone or e-mail commu- 
nications. The FBI uses that authority as part of its terrorism in- 
vestigations. 

The NSA only uses section 215 for phone call records, not for 
Google searches or other things. Under section 215, NSA collects 
phone records pursuant to a court record. It can only look at that 
data after a showing that there is a reasonable, articulable sus- 
picion that a specific individual is involved in terrorism actually re- 
lated to al Qaeda or to Iran. At that point, the database can be 
searched, but that search only provides metadata of those phone 
numbers of things that are in the phone bill. So the vast majority 
of records in the database are never accessed and are deleted after 
a period of 5 years. To look at or use content of a call, a court war- 
rant must be obtained. 
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Is that a fair description or can you correct it in any way? 

General Alexander. That is accurate, Senator. Thank you. 

Senator Feinstein. Thank you very much. 

Let me express my hope once again. You expressed some things 
to us yesterday in Intelligence. I think it is really very important 
to show the cases where this has been used and has been effective 
and do that tomorrow at the classified briefing for all Senators. 
Will you do that? 

General Alexander. Senator, we are going to bring those. We 
will bring a layout of all those that have happened. And we will 
work with the interagency as quickly as possible so that the aggre- 
gate numbers can be released by you and others so that the Nation 
knows how much this has really done to protect us and our allies. 

Senator Feinstein. Good. That is appreciated. 

Now, let me go to cyber. As you know, the vice chairman of our 
committee, Saxby Chambliss, with whom I work closely — we have 
been sitting down trying to forge a consensus information-sharing 
bill in cyber. Senator Coats, Senator Collins, Senator Mikulski are 
all members of this committee. And one of the main things is the 
extent of liability protection, the importance of the domestic portal 
of entry for cyber attacks. 

I would like to ask that you describe what is meant by a civilian 
portal for Senators assembled here today and also the rationale, 
why this is important for privacy and other reasons. 

General Alexander. Senator, thanks for that question. 

The reason, from my perspective, for a portal to one of the civil- 
ian infrastructures is so the Nation knows that somebody is not 
going directly to an intelligence or a military thing with secret in- 
formation, but rather, give it to, for example, DHS and it can be 
pushed to FBI and NSA Cyber Command because we all see the 
data at the same time. And the public will have great confidence 
that what we are doing is exactly right. Or send it to FBI depend- 
ing on the type and then FBI can shoot it to both of us. So you 
have a way of doing this. I think that is critical, given the discus- 
sion that we have on the other parts, is that the American people 
know that we are being transparent. 

We do not look at our cyber infrastructure to know what is going 
into Wall Street, as an example. And so if there is an attack on 
Wall Street, I will not see it until afterward. And so think of that 
as a missile coming into Wall Street. The people that do see it, like 
the Internet service providers, could tell us that — could — but there 
is no guarantee and there is no quick way of doing that. 

Cyber legislation is needed for that. We need to be able to share 
that information, and all of us need it because we all will have a 
role there. Our role would be defend the country. If this is a nation 
state trying to take down Wall Street, you want us to act. 

So I think that is the reason for having that civilian portal. That 
was a longer answer than you probably wanted, but that is why I 
think all of that is needed. 

Senator Feinstein. Thank you. 

Let me go to another subject quickly and that is liability protec- 
tion. And you talked to us a little bit about what the liability pro- 
tection standards should be in a bill. There are two parts of it. One 
is for use of a Government countermeasure, and the other is vol- 
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untary information-sharing between two companies. I think many 
members feel companies will not share unless they have immunity 
from liability. Could you comment on that? 

General Alexander. So there are two different aspects, as you 
stated, and one is how do you share with the Government and 
what action do you take. And so here is where I think my personal 
thoughts on this are that if the Government asks the company to 
do something to protect the networks or to do something and a mis- 
take is made and it was our fault, then they should have liability 
protection for that. And they should not stand up and have to be 
sued. So I think there is a case for that. 

But if they go company to company or if they are sharing data 
back and forth, as they do today, I am not sure that the Govern- 
ment needs to provide liability insurance that way. 

So I think there are two different things. 

Now, this is something that the administration — your folks and 
we ought to bring everybody together, if that is the key point, and 
iron that out. I think we want to get it right. There are subtleties 
to what we just said. So there are different cases and conditions 
upon when we would act and how we would act and what level of 
liability you would have. And so I think those are the ones that we 
truly got to get exactly right. 

From my perspective, we just cannot grant everybody gets liabil- 
ity protection. And on the other hand, we do not want to say do 
something for the Government and if it goes bad, you are on your 
own. So I think there is something in the middle there that we 
have to get right, and from my perspective it is when the Govern- 
ment is asking them to do something, we ought to have at least 
part of that liability protection. 

Senator Feinstein. Thank you. 

Thank you, Madam Chairman. 

Chairwoman Mikulski. Senator Boozman and then Senator 
Tester. 

Senator Boozman. Thank you, Madam Chair, and thank you all 
so much for being here. 

I do have some questions about the situation we are in, but I 
think what I would like to do is wait until we get into the classi- 
fied. I think you have said about as much as you could say in a 
setting like this. 

I do think that the Senator from Nebraska, though, raised an im- 
portant consideration that we are probably not talking about 
enough. I think by any standards, this is a very far-reaching pro- 
gram that really does have tremendous implication to the general 
public. And having the military — as he said, your record is exem- 
plary. You are a tremendous American. My dad did 20 years active 
duty, and I will do anything I can to help you all in that regard. 

But I do think that the idea of having military control — we have 
had those firewalls in the past, and that is a discussion at some 
point that I think we need to have and would appreciate again at 
some point your contribution in that. But I do think that that is 
very, very important. And like you said, we are not talking about 
that. 
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In regard to cybersecurity, Secretary McFeely, what are the top 
countries — and you can chime in on this also, General. What are 
the top countries that are pinging us? Who is involved in this? 

Mr. McFeely. We do have an answer for that. I believe that 
would be a more appropriate discussion in our classified setting. 

Senator Boozman. So it is not okay to say who is getting after 
us? 

Mr. McFeely. I do not believe in this setting based on the fact 
that our information and our assessment is based on our classified 
work — I do not believe that — I think I would be overstepping a line. 

Senator Boozman. Okay. 

You mentioned in your testimony the FBI’s collaboration with 
State and local law enforcement. Again, it is hard for them to deal 
with this. This is something that they are not, most of the time, 
equipped to do. Do you feel that the Federal Government, specifi- 
cally the FBI, is doing enough to aid our State and local depart- 
ments when they are faced with a cyber attack? 

Mr. McFeely. You mean specific governments or are we working 
with State and local law enforcement 

Senator Boozman. Yes, State and local law enforcement. 

Mr. McFeely. So I think the short answer to that is no, but I 
am happy to report that we have, I believe, a working plan moving 
forward. About 2 months ago, we met with various associations 
representing the police and sheriffs and investigators at the State 
and local side. And through conversation going through really a 
discussion of where law enforcement is with the cyber threat, we 
realized collectively that information is not flowing down to the 
State and local departments, and even in the instances where it 
was, they did not have the capability or the level of competence to 
even address it. 

We decided that we needed to address that. We have worked a 
pilot plan out, and the centerpiece of this will be the Internet 
Crime Complaint Center where we literally get thousands of com- 
plaints in a year from people who have been defrauded over the 
Internet. Most of the complaints that come in do not meet Federal 
prosecutive guidelines. In other words, it is not something that a 
United States Attorney’s office would routinely prosecute and it is 
not something, because these are fraud-type complaints, either the 
FBI or Secret Service would routinely investigate. But because 
State and local’s competence level is not at the level where it 
should be, it is just simply falling off. 

Chairwoman Mikulski. I could not hear your word to Senator 
Boozman. I could not hear you. Are you saying “confidence” or 
“competence”? 

Mr. McFeely. Competence, technical capabilities. 

So what we have worked out is a pilot project where we are 
going to package up these types of threats and actually disseminate 
them direct to the major departments where the victims are lo- 
cated. At the same time, we are going to increase our outreach to 
State and local law enforcement and give them the tools and the 
training that they need to get them up to that level of technical 
competence that they need. 

Senator Boozman. Thank you. 

Mr. Beers. Senator, could I add to that, please? 
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COLLABORATION WITH STATE AND LOCAL LAW ENFORCEMENT 

Senator Boozman. Yes, sir, sure. 

Mr. Beers. So our Secret Service, working with the FBI in a 
number of cases, as Mr. McFeely indicated, in the joint task force — 
we have a National Computer Forensics Institute in Alabama. We 
have trained over 1,300 State and local law enforcement prosecu- 
tors and judges in order to be able to deal with this. 

What we are dealing with here — that is, mostly their competence 
or the part of, not the national security threats but the criminal 
fraud threats — is the stealing of credit cards and other personally 
identifiable information and using that to take money out of banks 
around the world. You heard about the $46 million that was taken 
out of two banks from the Middle East, including a large amount 
in this country. That is the kind of training where we can give 
them the competence and we can work with them, and that is 
something that we and the FBI are trying to do very much. The 
outreach that we have had to the various police associations and 
other things are part of it. 

But the main thing is to get the training and then to work to- 
gether. A lot of this happens overseas and that is where we have 
to be involved in order to be able to trace those activities overseas, 
which State and local law enforcement do not really have the abil- 
ity to do. But it is a joint program and really quite successful. 

Senator Boozman. Thank you, Madam Chair. 

Chairwoman Mikulski. Senator Tester. 

Senator Tester. Thank you, Madam Chair. 

And I want to thank you all for being here, particularly General 
Alexander. I want to thank you for coming today. Thank you for 
your service to our country. And I have been looking at the slides 
the committee provided, and they are very helpful. We are going 
to spend more than $13 billion in unclassified cyber activities. 
Seven agencies are involved, excluding the network defense that 
every agency must do. 

According to my notes, after the WikiLeaks incident in 2010, a 
Presidential Executive order directed agencies to improve classified 
network security and create a committee to oversee those improve- 
ments. So we have had 3 years to improve the control of classified 
networks and information. Whatever one thinks of Edward 
Snowden, it looks to me as if we have also got a big problem that 
is internal, not external. 

So you tell me that the President has requested $13 billion in 
cyber spending for fiscal year 2014, and yet a contractor, not even 
somebody who is accountable to your chain of command or anyone 
else in the Government, is able to get his hands on a copy of a 
FISA court order allowing the collection of metadata from Verizon. 
How on earth does this happen? And why does a contractor have 
access to information that we are spending $13 billion to prevent 
outsiders from getting their hands on? 

General Alexander. So that is one of the grave concerns we both 
have in that in our networks, the system administration of those 
networks, the IT infrastructure, was outsourced about 14 years ago 
to push more of our work out to contractors. As a consequence, 
many in Government, not just us, have system administrators who 
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are contractors working and running our networks. Now, they do 
not have total visibility of the network, but they get key parts to 
it. And in this case, this individual was a system administrator 
with access to key parts of the network. So we have got to address 
that. That is of serious concern to us and something that we have 
to fix. 

Senator Tester. I mean, from your perspective, do you anticipate 
a recommendation coming forward that this work be done in house 
instead of contract? 

General Alexander. Senator, I am not prepared to make that 
statement yet. I do not want to react because there are good con- 
tractors out there that are doing a good job. I think what we have 
to do is come back and perhaps look at the oversight mechanism 
that we have, the checks and balances that are in the system, the 
automated checks and balances that exist, and what we can do to 
improve those. As you may know, what the Department is going 
through in the joint information environment would greatly assist 
in protecting this data. So going to what we call JIE is a huge step 
in the right direction. 

I think those cloud security and encrypting data is things that 
we can and should do, but that is going to take time. I do not want 
to mislead you. This is a significant effort for the Defense Depart- 
ment to move to, but it is one that I know I have personally talked 
to the Secretary on and the Chairman. We are pushing this. It is 
the right way to go. I wish we had it. I wish we would go back in 
time. NSA is doing the same. 

BANK ATTACKS 

Senator Tester. Financial services. I am told by folks that I deal 
with on the Banking Committee that almost every night somebody 
is trying to hack their system. 

Do you have the mechanism by which you can follow up if a bank 
gave you an IP address that they think that is doing the problem? 
And if it is not the right question for you, General, you can ship 
it any way you want. Or do you not have the mechanism to be able 
to follow up? 

General Alexander. So we do as a team, the team here. Almost 
assuredly, if it is a criminal or other, it would start with the FBI 
being on the team. We may have people on the team. If the FBI 
saw this was a foreign one, they would tip that over to us. So we 
act as a part. DHS has a key role in that team to see what it is. 
We have made great progress in bringing that team together. 

The bottom line to your answer is someone on this team would 
take it. Normally that leadership would probably be, the cases you 
described, FBI with DHS and us. 

Mr. Beers. Sir, on that, we gave out 200,000 IP addresses to in- 
dividuals within this country — to the banks — excuse me — to block 
when those distributed denial of services attack. Some of those 
were overseas. We also sent them to friendly governments over- 
seas. So as a matter of course, we do this on a regular basis as part 
of this tripartite team. 

Senator Tester. Okay. So let me ask you this. If a bank comes 
to you with an IP address that they believe was trying to hack 
their system, do you guys follow up on that? 
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Mr. Beers. In exactly the same way. The three of us, the three 
agencies that we represent, go and provide some forensic assistance 
with respect to that particular incident, and then we provide a 
larger mitigation message out to the rest of the community so that 
particular form of attack cannot be replicated. 

Senator Tester. Then do you go back to the bank that has initi- 
ated this investigation and tell them what you have done? 

Mr. Beers. We do, and when we put out the information, we do 
not necessarily indicate which bank was affected. We anonymize 
that information unless that particular firm wants it public. 

Senator Tester. Okay. So when a bank comes up to me and 
says, look, we give them IP addresses and they do not follow up 
on it, you would classify that as being baloney? 

Mr. Beers. Sir, I cannot speak to each and every one of those 
instances, but what I am telling is the way we work as a team in 
order to try to do that. And if there are banks that have spoken 
to you about this, we would be happy to get back to them if they 
are prepared for you to tell me about that. 

Senator Tester. I do not know that they are, but maybe they 
are. I cannot say. Actually multiple banks have talked to me about 
that. 

So I just want to say thank you very much. I will tell you that 
there has been a lot — if I might editorialize just for a second, 
Madam Chair. There has been a lot of concern about what has hap- 
pened in the last couple weeks. And I do not serve on the Intel- 
ligence Committee. I do serve on Homeland Security, but I do not 
serve on the Intelligence Committee. And I will tell you that I 
think it is positive for this country to be having the discussion we 
are having. And there may be some negatives involved here, but 
I think it is positive to have the discussion so that we are thinking 
about civil liberties and we are thinking about freedom as it relates 
to our national security. You guys all have a tough job, but we will 
get through this and hopefully we will secure both our security and 
our freedoms when this is done. 

Thank you very much. 

Chairwoman Mikulski. Senator Murray. 

Senator Murray. Madam Chairman, thank you very much for 
having this hearing. 

Is “baloney” a Montana name? 

Senator Tester. I was being very nice. I was going to refer to 
cow excrement here. 

QUALIFIED WORKFORCE: CENTERS OF EXCELLENCE 

Senator Murray. We were lucky. 

Again, thank you so much for having this hearing. 

Let me just start by saying that I think our Nation’s most impor- 
tant cybersecurity resource is its cyber workforce. Without the 
right people using it, even the most sophisticated technology is 
really only of limited use. That is why I think it is important that 
we successfully identify, recruit, and train a cyber workforce to 
form the foundation of any national cybersecurity plans. 

DHS and NSA’s Centers of Academic Excellence are really impor- 
tant tools in this effort, and my State, Washington State, hosts a 
number of these Centers of Excellence. We have the Information 
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Assurance Education Centers at the University of Washington — 
Tacoma and the University of Washington — Bothell. We have the 
Information Assurance Research Center at the University of Wash- 
ington — Seattle, and the Information Assurance 2-year Education 
Center at Whatcom Community College. And together those pro- 
grams offer cybersecurity education and training at the 2-year, un- 
dergraduate, masters, and Ph.D. level. 

Secretary Beers and General Alexander, if you could comment on 
how you think these Centers of Excellence play into your respective 
cyber hiring pipelines and workforce development programs, I 
would love to hear your comments on that. 

Mr. Beers. Let me go first on that. We absolutely are dependent 
upon that form of education as a way to get qualified individuals 
into our workforce. We at DHS have an outreach program to com- 
munity colleges generally but also to these Centers of Excellence as 
well as to universities. The only comment that I would make is we 
do not have enough people around the country trained to do all the 
jobs that we in Government and the private sector need to have 
done. I think that is really one of the educational frontiers for this 
country is to create that kind of a workforce for all of us. So that 
is certainly something that we support very much at DHS. 

Senator Murray. General, do you want to comment? 

General Alexander. Senator, thank you for that question be- 
cause that is a huge program that we do with more than 140 dif- 
ferent schools collectively between DHS, NSA. And the curriculums 
that we set up there with those schools — this is not just you get 
a thing, you go do it. They actually set up a curriculum that helps 
ensure that the students that are going through that will have the 
background we need in information assurance, and now in cyber 
operations, a new one. So there are double credentials that they 
can get. And I just encourage your schools. I know everybody is 
looking at that, and we are getting tremendous pressure. 

These are very difficult to get into. This is not something that 
we just grant. It is interesting because we got a number of schools 
to bring this forward. Some of them do not meet the qualifications 
and do not get that accreditation. So they work through that. We 
work with them. We have a great outreach. I think this is great 
for our country to build these kinds of people 

Senator Murray. We absolutely must have that workforce. I 
agree. 

I know that a coherent national cybersecurity strategy really re- 
quires some cooperation. You have got to have collaboration be- 
tween Government, private industry, and academia. And as we saw 
with the development of the information economy on the Internet, 
clustering these universities, companies, and the appropriate Gov- 
ernment agencies together offer some really great benefits. Within 
the cybersecurity industry, the South Puget Sound in my State has 
emerged as a leading cyber cluster, if you will. The unique and na- 
tionally recognized resources the region has to offer have created 
a great environment for cybersecurity to really flourish. They have 
some great stakeholders who help make this possible, including the 
Center for Information Assurance and Cybersecurity at the Univer- 
sity of Washington. We also have great influential technology and 
defense companies, Microsoft, Amazon, Boeing, and we have two 
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military installations, Joint Base Lewis-McChord and Washington 
National Guard Camp Murray in the South Puget Sound. And I 
have seen personally how those relationships have really benefited 
that region. 

And, Secretary Gallagher, I would love it if you could talk about 
the importance of these so-called cyber clusters like the one we 
have in my State and what steps NIST and Commerce are taking 
to really promote those. 

Dr. Gallagher. So the notion of clusters as a way of sort of cre- 
ating this amplification effect that you talk about is broader even 
than just cybersecurity. In fact, it is a key part of our strategy in 
other areas like advanced manufacturing. And what tends to hap- 
pen is you get sort of a critical mass where you have enough exper- 
tise that it creates an attracting and pooling, and that talent base 
really starts to create wins. So you attract the right kinds of com- 
panies and government agencies and academic programs. 

I think it has to be a key part of the cybersecurity education ef- 
fort as well because in the end, you are talking about workforce de- 
velopment. And so you are going to have to bring together — that 
is one of the reasons the public/private partnerships are going to 
be such a key element here. We are seeing some of that already. 
Senator Mikulski provided a program funded through NIST, the 
National Cybersecurity Center of Excellence, which leverages 
Maryland and Virginia which have also been looking at this sort 
of effect, to bring in companies to work collaboratively on 
cybersecurity and create this tipping-in effect that you so elo- 
quently described that are part of clusters. 

Senator Murray. Great. Well, I am a big proponent of that. 

I am out of time, but I did want to submit a question about the 
National Guard. I think as we move forward, we are going to have 
to make sure that we are coordinating with them. They are going 
to be our boots on the ground if there is ever an issue, and I am 
hoping that we are doing the right things to support them. So, 
Madam Chairman, I would like to just submit that question. 

Chairwoman Mikulski. Thank you very much, Senator. And we 
hope that through the respective subcommittees, there will be fol- 
low-ups that will go even deeper to this. 

In terms of your clustering, we in Maryland feel we are at the 
epicenter of cybersecurity because we have the National Security 
headquartered there. We have the National Institute of Standards 
headquartered there. We hope to have the FBI headquartered 
there. We have the University of Maryland 

Senator Murray. Yes. Well, we will take the west side of the 
country. 

Chairwoman Mikulski. But thank you very much. 

I think, Senator Shelby, did you want to say something, sir? 

Senator Shelby. I just have one last observation. I just want to 
thank the panel, all of you, for your service to the country, the way 
you have conducted yourself before you got here today, and what 
you have done here for the day for America. And I think it has to 
be said. We have worked together a long time. Thank you. 

ADDITIONAL COMMITTEE QUESTIONS 

Chairwoman Mikulski. Well said, Senator Shelby. 
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If there are no further questions this afternoon, Senators may 
submit additional questions for the committee’s official record, and 
we request the witnesses’ response within 30 days. 

[The following questions were not asked at the hearing, but were 
submitted to the Departments for response subsequent to the hear- 
ing:] 

Questions Submitted to Hon. General Keith B. Alexander, Commander, U.S. 
Cyber Command Director, National Security Agency Chief, Central Secu- 
rity Service 


Questions Submitted by Senator Patty Murray 

Question. Currently, the development, marketing, sale, and resale of software ex- 
ploits, including attack capabilities, is legal and unregulated making it one of the 
few remaining unregulated weapons markets. 

Is it in the United States’ interest to allow the open and unfettered sale of these 
exploits and other attack capabilities? What steps are currently being taken to pro- 
tect the United States against the proliferation of these capabilities? 

Answer. We share the concerns of the Committee and others about the unfettered 
proliferation of malicious cyber tools and the potential misuse of those tools to inflict 
harm against U.S. interests and those of our allies. With other agencies, we are 
studying the global export market for cyber technologies, and what actions may be 
prudent for national security, while being mindful of U.S. industry’s need to inno- 
vate to meet global demand for cyber defense capabilities. 

Question. Given the risk that cyber attack poses to critical infrastructure and 
other important domestic systems, creating and maintaining a robust cyber civil de- 
fense is essential. Traditionally, National Guard units have played a central role 
within civil defense and in Washington State, the 262nd Network Warfare Squad- 
ron — the first operational non-flying wing within the Air National Guard — has ex- 
tended its response and support capabilities to cyberspace. 

What steps is CYBERCOM taking to coordinate with Guard units like the 262nd 
to improve homeland readiness and resilience in the face of cyber attack? 

Answer. Currently, we conduct exercises and training with the 262nd Network 
Warfare Squadron focused on responding to a domestic cyber attack against critical 
U.S. infrastructure. These events involve intense collaboration and coordination 
across Federal, State, and private sector boundaries. Going forward, we are working 
with USNORTHCOM and the National Guard Bureau to develop a broad framework 
for integrating the National Guard into the Cyber Mission Forces. This framework 
will guide the Service components as they work to incorporate additional cyber capa- 
bilities into their forces. 


Questions Submitted by Senator Richard J. Durbin 

CYBER EXECUTIVE ORDER — ROLE OF THE EXECUTIVE ORDER VERSUS CYBER 

LEGISLATION 

Question. President Obama issued Executive Order (EO) 13636 in February of 
this year. What is the effect of this Executive order? Is it improving your ability 
to share information with the private sector? 

Answer. The overall effect of the Executive order is to jump-start some key initia- 
tives that begin to address the cybersecurity threat. 

— With implementation of the Enhanced Cybersecurity Services, a USG/industry 
partnership program, the robust cybersecurity protections currently afforded 
only to the Defense Industrial Base primarily through cleared commercial serv- 
ice providers will be made available to all critical infrastructure sectors while 
minimizing the potential for divulging our classified sources and methods. 

— The cybersecurity framework to be developed by the National Institute of 
Standards and Technology in partnership with industry will help owners and 
operators of critical infrastructure to understand the levels of security measures 
that are needed to make it more difficult for adversaries to penetrate their net- 
works. 

— The voluntary certification program is designed to encourage and assist owners 
and operators of critical infrastructure to adopt those standards to harden their 
networks. 
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— All three efforts recognize that cybersecurity is a team effort and must be done 
with full collaboration within Government and with industry and other private 
stakeholders. 

I think it is essential; however, that all parties realize that the Executive order 
(EO) is only a first step in addressing the threat and not a substitute for actual leg- 
islation. The EO can move us only so far, and it does not eliminate the need for 
Congress to enact cybersecurity legislation. 

While the Executive order does make some headway in enabling and facilitating 
some cybersecurity information sharing across a larger portion of the critical infra- 
structure, such sharing remains largely one-sided — from the USG to private sector. 
With so much of the critical infrastructure owned and operated by the private sec- 
tor, the Government is often unaware of the malicious activity targeting our critical 
infrastructure. These blind spots prevent the Government from being in a position 
to either help defend the critical infrastructure or to defend the Nation from a cyber 
attack, if necessary. This can only be overcome through legislation that removes 
statutory barriers to cybersecurity information sharing and provides the narrowly 
scoped liability protections needed to incentivize two-way, real-time information 
sharing between the private sector and the Government. Similarly, we need legisla- 
tion that encourages industry cooperation in the development and implementation 
of the cybersecurity standards that will secure their networks. 

Question. When he signed the Executive order, President Obama also underscored 
the need for comprehensive cybersecurity legislation, since the scope of the Execu- 
tive order is limited. What are your legislative priorities in terms of items you be- 
lieve should be included in cyber legislation? 

Answer. I believe that cyber legislation needs to: 

— Eliminate the statutory information sharing barriers and facilitate two-way, 
real-time cybersecurity information sharing between the private sector and the 
Government as well as among private companies. Any legislation must instill 
confidence that such sharing will protect privacy and civil liberties, and will 
preserve the longstanding, respective roles and missions of civilian and intel- 
ligence agencies. It also needs to provide reasonable liability protections for 
companies in order to incentivize such information sharing. 

— Build on the efforts under EO 13636 to develop a cybersecurity standards 
framework and certification program by incentivizing the private sector to adopt 
the framework to protect its networks. 

CYBER EXECUTIVE ORDER — PROTECTING PRIVACY AND CIVIL LIBERTIES 

Question. The Executive order requires Federal agencies to develop cybersecurity 
efforts in accordance with the Fair Information Practice Principles, as well as other 
policies, principles, and frameworks to protect privacy and civil liberties. I worked 
with a number of other Senators to ensure that the Cybersecurity Act of 2012 in- 
cluded provisions to protect privacy and civil liberties. 

What specific steps can government agencies take to ensure that privacy and civil 
liberties are protected as we enhance our Nation’s cybersecurity? 

Answer. I believe that the U.S. Government could take the following steps to en- 
sure that privacy and civil liberties are protected: 

— Ensure transparency by establishing processes and procedures based on F air In- 
formation Practice Principles for tbe U.S. Government receipt, retention, use, 
and disclosure of cyber threat information received from the private sector. 

— Require independent review and oversight to ensure that use and sharing re- 
strictions are being enforced. 

— Leverage technology to establish a transparent, real-time, policy-based, ma- 
chine-to-machine messaging construct that automatically enforces the policy/ 
rules for use and any restrictions on sharing. 


Questions Submitted by Senator Mary L. Landrieu 

CYBERSECURITY ROLE FOR THE NATIONAL GUARD 

Question. On June 13, 2013, the day of the Appropriations Committee hearing en- 
titled “Cybersecurity: Preparing for and Responding to the Enduring Threat”, the 
Committee received a report from the Department of Homeland Security (DHS) and 
Department of Defense (DOD) which was due to Congress on May 1, 2012, as pre- 
scribed in the joint explanatory statement accompanying the fiscal year 2012 DHS 
Appropriations Act (Public Law 112-74). The purpose of the report was to outline 
the capabilities of a coordinated response to a cyber attack by DHS and the National 
Guard and how critical relationships can be established across the agencies to fulfill 
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cybersecurity responsibilities. The information provided, which was submitted sepa- 
rately by the two agencies, outlines on a high-level, the programs DHS and DOD 
(as a whole) are maintaining for a response. Unfortunately, the report falls short 
of providing Congress an understanding of the DHS and National Guard’s capacity 
to respond to a cyber attack jointly. In order for Congress to better understand the 
gap between capacity and need, a sense of scope is required. 

How many National Guard cybersecurity personnel currently exist, and where? 
Are they employed in teams or individually? If they are employed in teams, how 
many teams are there and where are they located? 

Answer. Although these questions are better directed to the National Guard Bu- 
reau, I understand that there are approximately 1,000 National Guard personnel in 
cybersecurity positions. The U.S. Army National Guard is filling 8-person Computer 
Network Defense teams in each State that operate part-time in support of State 
missions. Additionally, the U.S. Air Force has established Air National Guard units 
in Washington, Delaware, Rhode Island, Maryland, California, and Kansas. 
USCYBERCOM continues to explore with the Services the unique capabilities the 
National Guard brings to the Total Force and the role they will have in securing 
our Nation in cyberspace. 

Question. As DOD and DHS are building the capacity the Federal Government 
needs to protect against and respond to a cyber attack: what specific role is being 
considered for the National Guard; and how is the Guard’s ability to switch between 
title 32 authorities and title 10 authorities being taken into consideration? 

Answer. We are working through the best way to strategically integrate the Na- 
tional Guard into the cyber national defense mission to include the Guard’s par- 
ticular authorities and capabilities. Most importantly, National Guard forces should 
complement the Total Force in the same way that they do for other missions. As 
part of a Total Force solution, the National Guard forces will need to be trained to 
the same standard as the active forces to meet those requirements. 

Although we are focused on working with the Services and the National Guard 
Bureau on how these personnel can help meet DOD requirements, the Department 
is actively engaged with its interagency partners and the States to improve our abil- 
ity to respond to cybersecurity challenges in a whole-of-Government approach that 
leverages all appropriate authorities. 

It is also important to note that, as Chairman of the Joint Chiefs of Staff General 
Martin Dempsey stated in recent congressional testimony, title 32 may not provide 
authorities for operating in cyberspace. Any activities on networks within a State’s 
jurisdiction which have effects outside of that jurisdiction would have to be con- 
ducted under title 10 authorities. This will be an important factor in the planned 
integration of the National Guard into the cyber national defense mission. 

Question. Is there a cost savings associated with utilizing the National Guard 
based on current training? How much? 

Answer. In coordination with the services, the Department is working out how to 
create an effective cyber workforce by looking across the Total Force in a way that 
best meets DOD cyber requirements. As a critical element of building its force struc- 
ture, USCYBERCOM has established common training requirements for all of its 
personnel, Active component, Reserve component, or civilian. 

We are eager to leverage the skills and training of all our team members while 
we ensure that they are properly trained and certified to carry out their 
USCYBERCOM mission. It is very difficult to estimate potential savings based upon 
current training of personnel, as it will be highly dependent both upon the par- 
ticular training and certification an individual has previously received and how 
much training meets the requirements of roles to which the personnel will be as- 
signed. 

Question. Are there skills identified within the National Guard that cut down the 
time needed to train a cyber airman or soldier to be able to respond to a cyber at- 
tack? 

Answer. The services retain training and accreditation authorities for all training. 
Each service will make a determination on what civilian skills, experience, and cre- 
dentials might be credited for required military training. 

USCYBERCOM is establishing common training requirements for all of its forces. 
Skills may help them progress and support their ability to operate, while ensuring 
that all of our forces are trained to the same standard. 

CYBER TEST BEDS/RANGES 

Question. General Alexander testified that the services, departments, and agen- 
cies need to work together to ensure that they have adequate test bed and range 



65 


space to safely organize, train, and equip the cyber warriors, operators, managers, 
researchers, and agents across the Federal Government. 

What are the specific requirements that your departments and their various agen- 
cies have for test bed and range space? 

Answer. Test bed and range spaces must support training on all aspects of the 
USCYBERCOM mission as specified by the Joint Cyber Training and Certification 
Standards and the Cyber Forces Concept of Employment. They also need to be capa- 
ble of supporting training, exercise, and mission rehearsal events from multiple lo- 
cations on a 24/7/365 basis. 

Question. What specific outcome will those established requirements render in 
trained personnel and tactics? 

Answer. Testing and range space that fulfills those requirements will foster an en- 
vironment that ensures the Cyber Mission Forces are consistently trained and cer- 
tified to perform operations in defense of the Nation and, when authorized, to 
project force. Methods of training tactics development will include force on force, 
force vs. simulated opposition forces, and force vs. live opposition forces. 

Question. What is the current test bed and range capacity available to each of 
your departments? 

Answer. USCYBERCOM has access to the Department of Defense’s four cyber 
ranges that support testing and training: the Joint Information Operations Range, 
the Department of Defense Information Assurance Range, the National Cyber 
Range, and the C4 Assessment Division. USCYBERCOM also has limited in-house 
standalone test labs. 

Question. What is the wait time or backlog based on the access you currently 
have? 

Answer. Currently, exercise events are developed to meet specific requirements for 
the training audience. In correlation with the development, wait time varies based 
on range schedule availability and planning. Based on historical data from recent 
range events, the average wait time is 60-90 days for a small (10-15 participants) 
event, and 6-9 months for large-scale exercises such as Cyber Flag. 

Question. Have you identified additional test bed or range space that you would 
like to acquire, use, or lease? 

Answer. USCYBERCOM is working with the Joint Information Operations Range, 
the DOD Information Assurance Range, the National Cyber Range, and the C4 As- 
sessment Division to identify future capacity needed to accommodate projected DOD 
cyber testing and training requirements. 

Question. What are the fiscal year 2013 and 2014 funding levels for testing and 
training space? 

Answer. Although USCYBERCOM has access to these ranges, we do not program 
their funding nor are the ranges under a single program manager. The Command 
is collaborating with the range program managers in a federation of the willing in 
order to coordinate strategic planning/programming. For specific USCYBERCOM 
events, COCOM Engagement and Training Transformation funding was allocated 
from the baseline USCYBERCOM fiscal year 2013 exercise funding and fiscal year 
2014 funding will likely be similar. 

Question. What percentage of your required testing and training needs will you 
be able to meet in fiscal year 2013 and 2014? 

Answer. Of the projected training and certification events to support the Cyber 
Mission Force, approximately 30 percent of the events can be supported by the test 
beds and ranges currently available to USCYBERCOM. However, the Command is 
working with the Joint Information Operations Range, the DOD Information Assur- 
ance Range, the National Cyber Range, and the C4 Assessment Division to identify 
the capacity needed in fiscal year 2014 and beyond to accommodate projected DOD 
cyber testing and training requirements. 


Questions Submitted by Senator Tom Udall 

ROLE OF NATIONAL LABORATORIES IN PROMOTING CYBERSECURITY 

Question. General Alexander, our National Labs — which are the crown jewels of 
our Nation’s research system — are active in efforts to promote cybersecurity. In my 
home State of New Mexico, Sandia National Laboratories is engaged in efforts to 
secure the national electrical grid from cyber attack. Los Alamos National Labora- 
tories is a leader in quantum cryptography. Sandia also has partnerships with uni- 
versities and the private sector. They’re helping computer science students become 
cyber professionals. 
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Could you discuss what role our National Labs should have in protecting our Na- 
tion from cyber attack? 

Answer. Our National Labs are incredible resources that continue to make vital 
contributions to cybersecurity and broader national security. The three areas that 
you have identified are three of the most important ways that the National Labs 
are supporting U.S. cybersecurity efforts: advanced research to secure our vulner- 
able infrastructure from cyber threats; the improvement of our abilities to transmit 
and store data securely; and, potentially most importantly, the development of the 
cybersecurity professionals that are our most critical asset. 

NEED FOR INTERNATIONAL COOPERATION FOR CYBERSECURITY STANDARDS 

Question. General Alexander, your testimony describes how USCYBERCOM is 
working to defend the Nation against threats from cyberspace, especially those that 
could involve attacks directed by foreign states. But cyberspace does not really rec- 
ognize national borders, and we have many shared interests in terms of 
cybersecurity with other nations. Stopping cyber criminals, for example, requires co- 
operation from other countries. Earlier this year, a criminal network involving hack- 
ers from several countries allegedly stole $45 million from banks using fake ATM 
cards. 

How do we ensure our national security while also working toward better inter- 
national cooperation in the area of cybersecurity? 

Answer. International cooperation on cybersecurity is a requirement to ensure our 
national security. Global cooperation is necessary to address the threat, build con- 
sensus on the norms of responsible conduct in cyberspace, and address ongoing ma- 
licious activity. For our military, cybersecurity cooperation, including shared situa- 
tional awareness, is foundational to interoperability and mission success globally as 
is the case in other domains. 

Question. How do we reduce cyber vulnerabilities while protecting a free and open 
Internet for all? 

Answer. As the President’s International Strategy for Cyberspace says, “To realize 
fully the benefits that networked technology promises the world, these systems must 
function reliably and securely. People must have confidence that data will travel to 
its destination without disruption Assuring the free flow of information, the security 
and privacy of data, and the integrity of the interconnected networks themselves are 
all essential to American and global economic prosperity, security, and the pro- 
motion of universal rights.” A cyberspace that rewards innovation, empowers indi- 
viduals, develops communities, safeguards human rights, and enhances personal 
privacy will strengthen national and international security. We will reduce our 
cyber vulnerabilities and defend our networks with smart policies that combine na- 
tional and international resilience with vigilance and a range of credible response 
options. Building capacity and fostering innovation is necessary to achieve reliable, 
secure, and safe platforms and build confidence in globally interconnected networks. 
This is why partnerships are so important: domestic and international, public and 
private sectors. 


CHINA AND THEFT OF INTELLECTUAL PROPERTY 

Question. General Alexander, your testimony mentions the systematic theft of 
American intellectual property. This is a serious challenge, particularly if aided and 
abetted by foreign states. President Obama reportedly raised concerns about this 
with Chinese President Xi Jinping last week. 

How should our Nation respond if such directed cyber thefts are not curtailed? 

Answer. In February 2012, the administration published a comprehensive strategy 
on mitigating the theft of U.S. trade secrets, which is currently being implemented. 
Consistent with the Strategy, we need to respond to cyber intrusions that result in 
the theft of American intellectual property in three ways. First, the U.S. Govern- 
ment must work with like-minded countries to clearly define acceptable and unac- 
ceptable behaviors in cyberspace and to promote related international norms, in- 
cluding effective criminal and civil enforcement. Second, the U.S. Government must 
work with private sector entities to develop more defensible network architectures 
and computing devices that do not contain vulnerabilities that countries such as 
China can exploit for economic gain. As these network architectures and computing 
devices are hardened, we must promote development, sharing and deployment of in- 
dustry-led voluntary best practices in the private sector to protect U.S. intellectual 
property, including trade secrets. Third, the U.S. Government must continue to de- 
velop and implement defensive cyber capabilities to protect the Nation from threats 
to its economic health and stability. 
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Questions Submitted by Senator Thad Cochran 

Question. All witnesses, we have heard about the importance of cooperation and 
clearly defined lanes of responsibility across the Federal Government for our 
cybersecurity efforts. What are your respective roles in receiving and sharing threat 
information with the private sector? 

Answer. We are leaning forward to the maximum extent authorized to share 
knowledge across the U.S. Government and private sector. In accordance with EO 
13636, and consistent with its legal authorities and mission responsibilities, NSA/ 
CSS provides classified cyber threat information and associated network defense 
guidance to DOD, DHS, and DOJ/FBI to use in support of their specific 
cybersecurity roles and responsibilities. Through the voluntary Enhanced 
Cybersecurity Services and Defense Industrial Base Enhanced Cybersecurity Serv- 
ices programs, NSA/CSS is working with DHS and DOD to provide classified cyber 
threat and technical information to eligible critical infrastructure companies or com- 
mercial service providers that offer security services to critical infrastructure. 

Question. All witnesses, I think we all recognize the importance of defending our 
Nation’s critical infrastructure against cyber attacks. A foreign or terrorist cyber at- 
tack on our electric grid, water systems, or financial systems could cause widespread 
damage and even have detrimental effects on our economy and consumer confidence. 
There has been much discussion about how involved the Federal Government should 
be in defending infrastructure owned by non-Federal entities. How would you define 
the threshold for what types of non-Federal infrastructure might qualify as “critical” 
for these purposes? 

Answer. I believe the definition of “critical infrastructure” used in PPD-21 Critical 
Infrastructure Security and Resilience is a reasonable one, and it applies to both 
Federal and non-Federal critical infrastructures. It defines critical infrastructure as 
those “systems and assets, whether physical or virtual, determined by a sector spe- 
cific agency or DHS to be so vital to the United States that the incapacity or de- 
struction of such systems and assets would have a debilitating impact on security, 
national economic security, national public health or safety, or any combination of 
those matters.” 

Question. General Alexander, a British newspaper recently reported on a program 
called “Prism,” in which it referred to collection under section 702 of the Foreign 
Intelligence and Surveillance Amendments Act. The newspaper reported that the 
law “allows for the targeting of any customers. . . who live outside the U.S. or 
those Americans whose communications include people outside the U.S.” Can you 
explain if and how this description may be inaccurate? 

Answer. The quoted statement is inaccurate. Section 702 does not allow the Gov- 
ernment to target Americans inside or outside the United States. 

Section 702 of FISA allows “the targeting of persons reasonably believed to be lo- 
cated outside the United States to acquire foreign intelligence information.” 50 
U.S.C. 1881a( a). 

Additionally, the statute provides several express limitations, namely that such 
acquisition: 

(1) may not intentionally target any person known at the time of acquisition to 
be located in the United States; 

(2) may not intentionally target a person reasonably believed to be located outside 
the United States if the purpose of such acquisition is to target a particular known 
person reasonably believed to be in the United States; may not intentionally target 
a United States person reasonably believed to be located outside the United States; 

(3) may not intentionally acquire any communication as to which the sender and 
all intended recipients are known at the time of acquisition to be located in the 
United States; and 

(4) shall be conducted in a manner consistent with the fourth amendment to the 
Constitution of the United States. 

50 U.S.C. 1881a(b). 

An acquisition authorized under section 702 must be conducted in accordance 
with targeting procedures reasonably designed to “ensure that any acquisition au- 
thorized. . . is limited to targeting persons reasonably believed to be located out- 
side the United States.” 50 U.S.C. 1881a(c) and (d)(1). These targeting procedures 
are subject to judicial review and approval by the Foreign Intelligence Surveillance 
Court (FISC). 50 U.S.C. 1881(d)(2). Minimization procedures must also be adopted 
and are subject to FISC review. 50 U.S.C. 1881(e)(2) Among other requirements, 
joint authorizations by the U.S. Attorney General and Director of National Intel- 
ligence under section 702 must attest that “a significant purpose of the acquisition 
is to obtain foreign intelligence information” and that the acquisition complies with 
the above limitations. 50 U.S.C. 1881a(g)(2). 
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Question. All witnesses, we’ve often heard that there is a potential for a Cyber 
Pearl Harbor, or an unexpected cyber attack on our Nation by a foreign entity that 
has dramatic and lengthy consequences. I think it may be difficult for most Ameri- 
cans, and even members of this Committee, to visualize how exactly such an attack 
would be carried out and what it would look like. Can you help us to better under- 
stand these things? Are the appropriations this Committee has been recommending 
sufficient to help prevent such an attack? 

Answer. In a 20 July 2012 opinion piece published online in the Wall Street Jour- 
nal, President Obama reflected on lessons learned from a national-level exercise 
conducted the previous month to test how well Federal, State, and local govern- 
ments and the private sector can work together in a crisis. According to the exercise 
scenario, that crisis was the result of a cyber attack by unknown hackers who had 
inserted malicious software into the computer networks of private-sector companies 
that operate most of our transportation, water, and other critical infrastructure sys- 
tems. The simulated consequences included train derailments across the country, in- 
cluding one carrying industrial chemicals that exploded into a toxic cloud. Water 
treatment plants in several State had shut down, contaminating drinking water and 
causing Americans to fall ill. This worst-case scenario included both cyber and phys- 
ical consequences and targeted our Nation’s critical infrastructure. In October 2012 
Secretary of Defense Panetta described a cyber Pearl Harbor as just such a com- 
bination of events. 

We believe the administration budget requests are on target and we appreciate 
the Committee’s willingness to fund them. Our strength in facing this threat relies 
on the entire U.S. Federal Cybersecurity Operations Team including DHS, DOJ/FBI, 
and DOD to counter cyber threats. We each have specific, critical roles, responsibil- 
ities, and authorities. We are already working together as part of the Federal effort 
to counter cyber threats, and we are partnering to implement EO 13636 to improve 
the cybersecurity of our critical infrastructure. There are issues with being able to 
see and prepare for a cyber attack, as no single public or private entity has all of 
the required authorities, resources, or capabilities to either respond to or prevent 
a serious cyber attack on our critical infrastructure. We must address this threat 
as a team by sharing the unique insights into cyber threats that both the Govern- 
ment and the private sector have and by hardening our critical infrastructure and 
making it more resilient to cyber threats. We need legislation that removes existing 
barriers to the sharing of cyber threat information between the private sector and 
the U.S. Government at network speed, while ensuring that privacy and civil lib- 
erties are protected. We also need legislation that offers incentives to encourage core 
critical infrastructure operators to harden their networks. 


Questions Submitted by Senator Mike Johanns 

CYBER COMMAND 

Question. General Alexander, I would like to ask several questions about the po- 
tential elevation of Cyber Command to a unified combatant command. Last year’s 
National Defense Authorization Act included language that instructs DOD to brief 
Congress on any proposal to elevate the command. The language asks for specific 
information such as a clear statement of mission, an outline of national security 
benefits, as well as a cost estimate. 

Has DOD prepared this required information and have you shared it with Con- 
gress? 

Answer. If the administration were to make such a significant change to the Uni- 
fied Command Plan, it would certainly share the details with Congress. 

Question. Do you agree that it would be inappropriate to stand up a new unified 
command without possessing this information and sharing it with Congress for re- 
view? 

Answer. I believe that Congress should be informed on the analysis, decision- 
making factors, and outcome of any changes to the Unified Command Plan. 

Question. In particular, what would be the costs associated with elevating Cyber 
Command to a unified combatant command beyond the initial establishment of the 
command — costs specifically related to operations? 

Answer. If the decision is made to elevate USCYBERCOM to a unified command, 
it is unknown at this time whether there would be costs beyond the initial establish- 
ment of the command related to operations. Any cost increases or decreases will be 
dependent upon the responsibilities and authorities assigned. 

Question. I have heard some assert that no additional allocation would be needed 
to elevate Cyber Command. Regardless of whether costs are absorbed by taking 
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away from other DOD missions or expending newly allocated tax dollars, there will 
be operational expenses. What is DOD’s estimation of these expenses? 

Answer. If the decision is made for significant changes to the Unified Command 
Plan — such as creating an additional unified command — there will likely be costs in- 
volved. The exact costs and any potential effect on the overall DOD budget, how- 
ever, will be dependent upon a variety of implementation factors including assigned 
responsibilities, authorities and manning. 

Question. What do you believe are the advantages and disadvantages of dual- 
hatting an individual as both the commander of a unified command and of the Na- 
tional Security Agency? 

Answer. Currently, the dual-hatting of the Director of the National Security Agen- 
cy and the Commander of USCYBERCOM is a strategic advantage for the Nation. 
It has enabled DOD to leverage NSA’s capabilities needed for the conduct of 
USCYBERCOM’s mission. The concept ensures that the most knowledgeable officer 
on the global cryptologic platform maintains superior situational awareness, empow- 
ering swift and effective decisionmaking associated with national intelligence and 
military objectives. 

Question. In light of the widespread concern about an appropriate balance be- 
tween national security and the privacy rights of American citizens, is there wisdom 
in avoiding giving one person virtually unprecedented power as the head of both a 
unified command and a civilian intelligence agency? 

Answer. I do not believe that there is. It is imperative that the Commander of 
USCYBERCOM understand the global cryptologic platform. The dual-hat relation- 
ship facilitates this knowledge and ensures that the Commander can maintain situ- 
ational awareness and respond when required in an extremely high-paced, complex, 
technical environment — while applying to both jobs a single ethos of protecting pri- 
vacy rights. 

Question. What is the timeline for Secretary Hagel’s decision? 

Answer. I do not know if there is a timeline for any decision on this topic. 

Question. At one point there was talk that DOD might slip this important change 
into an out-of-cycle adjustment to the Unified Command Plan (UCP). Can you as- 
sure us this will not be the case? 

Answer. Any final recommendation on changes to the Unified Command Plan to 
the President will be made through the Secretary of Defense. 

Question. Will you commit to us that before a final decision is made, Congress will 
be provided a mission statement, clearly defined parameters for combat action, and 
cost estimate? 

Answer. I am sure that the Secretary of Defense will work with the White House 
to ensure that our oversight committees have the information that they need to be 
comfortable with any decisions regarding the status of this command. 


Questions Submitted to Hon. Rand Beers, Acting Deputy Secretary, 
Department of Homeland Security 

Questions Submitted by Senator Patty Murray 

Question. Currently, the development, marketing, sale, and resale of software ex- 
ploits, including attack capabilities, is legal and unregulated making it one of the 
few remaining unregulated weapons markets. 

Is it in the United States’ interest to allow the open and unfettered sale of these 
exploits and other attack capabilities? What steps are currently being taken to pro- 
tect the United States against the proliferation of these capabilities? 

Answer. The Department of Homeland Security (DHS) works closely with public 
and private sector partners to coordinate the discovery and responsible disclosure 
of software vulnerabilities before they can be exploited. DHS cybersecurity experts 
are following the evolution of the software vulnerability marketplace, including le- 
gitimate “bug bounty” programs, to ensure that our resources are being applied to 
address gaps in vulnerability discovery and mitigation that industry alone cannot 
correct. DHS’s Science and Technology Directorate, through its Software Quality As- 
surance project, is developing technologies to improve techniques in software quality 
assurance tools to better detect these types of vulnerabilities in software systems. 
DHS S&T will offer these technologies and improvements through the Software As- 
surance Marketplace (SWAMP), a state-of-the-art facility designed to advance our 
Nation’s cybersecurity by providing a collaborative research environment to improve 
software development activities that will protect the national cyber and critical in- 
frastructure systems against the proliferation of these software vulnerabilities and 
threats. In addition, DHS is working with our international industry and govern- 
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ment partners to ensure that software and supply chain risks can be proactively ad- 
dressed worldwide. 

Question. The North American Electric Reliability Corporation (NERC) has been 
among the more successful industry solutions to ensuring basic levels of 
cybersecurity across whole sectors of critical infrastructure. While its mandatory 
cybersecurity standards are broadly implemented across the bulk power system, 
NERC’s voluntary standards are minimally adhered to. Compounding this dynamic 
is the length of time NERC takes to issue new mandatory standards; many of the 
voluntary standards issued since the last ruling are recognized as essential 
cybersecurity measures in the face of today’s cyber threats. Given that NERC is a 
leader across the greater realm of critical infrastructure, I am concerned with the 
cyber readiness of other sectors. 

How can Congress facilitate the formulation and adoption of acceptable standards 
within the current regulatory framework and create the structures needed to de- 
velop these standards in the first place within the sectors that lack them? 

Answer. Congress can leverage the consultative process adopted during the devel- 
opment of the National Institute of Standards and Technology’s Cybersecurity 
Framework called for in section 7 of Executive Order (EO) 13636, as well as regu- 
latory agencies’ assessments of current regulatory frameworks from section 10 of the 
EO, to assess the need for new or updated standards and ensure that such stand- 
ards are flexible and adaptable given evolving technologies and unique risk environ- 
ments. Congress can also work with DHS, Sector-Specific Agencies (SSAs), the inde- 
pendent regulatory agencies, and the private sector to understand the constraints 
that limit adoption and to implement voluntary or legislative solutions to reduce 
burdens or increase benefits of adoption or compliance. By assessing whether, and 
how, a lack of standards or standard adoption is resulting in sub-optimal 
cybersecurity outcomes, Congress can promote solutions associated with a measur- 
able business case, and encourage the adoption of particular standards by sector or- 
ganizations, SSAs, insurers, and other relevant bodies. This may also include the 
promotion of particular incentives, such as those identified in the DHS, DOC and 
Treasury responses to the EO 13636/Presidential Policy Directive-21 tasking on in- 
centives studies. 


Questions Submitted by Senator Richard J. Durbin 

CYBER EXECUTIVE ORDER — ROLE OF THE EXECUTIVE ORDER VERSUS CYBER 

LEGISLATION 

Question. President Obama issued Executive Order 13636 in February of this 
year. What is the effect of this Executive order? Is it improving your ability to share 
information with the private sector? 

When he signed the Executive order, President Obama also underscored the need 
for comprehensive cybersecurity legislation, since the scope of the Executive order 
is limited. What are your legislative priorities in terms of items you believe should 
be included in cyber legislation? 

We’d like to hear from all the witnesses on this issue. 

Answer. Facing persistent and constantly evolving threats to our Nation from 
cyber attacks that could disrupt our power, water, communication and other critical 
infrastructure, the President issued Executive Order (EO) 13636 on Improving Crit- 
ical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 on Crit- 
ical Infrastructure Security and Resilience. These policies reinforce the need for a 
holistic approach to security and risk management. 

Implementation of the EO will drive action toward system and network security 
and resiliency, and will also enhance the efficiency and effectiveness of the U.S. Fed- 
eral Government’s work to secure critical infrastructure and make it more resilient. 
Information sharing is a critical component of a comprehensive strategy, and section 
4 of the EO directs the Department of Homeland Security (DHS) to expand its re- 
porting and dissemination of cyber threat information, expedite security clearances, 
and expand the use of private sector subject matter experts in the Federal Govern- 
ment in order to build and strengthen information sharing partnerships. 

Section 4 also directs DHS to expand the Enhanced Cybersecurity Services (ECS) 
program to all critical infrastructure sectors. 

The ECS program coordinates the protection, prevention, mitigation, and recovery 
from cyber incidents through information sharing initiatives with business owners 
and operators to strengthen their facilities and communities. ECS is a voluntary in- 
formation sharing program that assists critical infrastructure owners and operators 
as they improve the protection of their systems from unauthorized access, exploi- 
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tation, or data exfiltration. DHS works with cybersecurity organizations from across 
the Federal Government to gain access to a broad range of sensitive and classified 
cyber threat information. DHS develops indicators based on this information and 
shares them with qualified Commercial Service Providers (CSP), thus enabling them 
to better protect their customers who are critical infrastructure entities. 

ECS augments, but does not replace, an entity’s existing cybersecurity capabili- 
ties. It does not involve any Federal Government monitoring of private networks or 
communications, and information relating to threats and malware activities de- 
tected by the CSPs is not directly shared between the critical infrastructure CSP 
customers and the Federal Government. Any information shared by a CSP customer 
is done so voluntarily, in an anonymized fashion. As directed in EO 13636, the ECS 
program is available to each of the 16 critical sectors. 

Although this EO will help to bolster the Nation’s cyber defenses, it does not 
eliminate the urgent need for legislation in these and other areas of cybersecurity. 
The administration’s legislative priorities for the 113th Congress build upon the 
President’s 2011 Cybersecurity Legislative Proposal and take into account 2 years 
of public and congressional discourse about how best to improve the Nation’s 
cybersecurity. 

The administration believes that legislation should: 

1. Facilitate cybersecurity information sharing between the Government and the 
private sector, as well as among private sector companies, while protecting privacy 
and civil liberties, reinforcing the appropriate roles of civilian and intelligence agen- 
cies, and including targeted liability protections; 

2. Incentivize the adoption of best practices and standards for critical infrastruc- 
ture by complementing the process set forth under the EO; 

3. Give law enforcement the tools to fight crime in the digital age; 

4. Update Federal agency network security laws, and codify DHS’s cybersecurity 
responsibilities; 

5. Create a National Data Breach Reporting requirement that includes notifica- 
tion to law enforcement personnel. 

Privacy and civil liberties safeguards must be a core component of each of these 
legislative areas. 

CYBER EXECUTIVE ORDER — PROTECTING PRIVACY AND CIVIL LIBERTIES 

Question. The Executive order requires Federal agencies to develop cybersecurity 
efforts in accordance with the Fair Information Practice Principles, as well as other 
policies, principles, and frameworks to protect privacy and civil liberties. I worked 
with a number of other Senators to ensure that the Cybersecurity Act of 2012 in- 
cluded provisions to protect privacy and civil liberties. 

What specific steps can government agencies take to ensure that privacy and civil 
liberties are protected as we enhance our Nation’s cybersecurity? 

Answer. The Department believes that protecting privacy and civil liberties re- 
quires attention in all phases of cybersecurity activities. In addition to following the 
Fair Information Practice Principles and any applicable laws or other frameworks 
that protect individual rights, agencies can do the following to ensure that privacy 
and civil liberties are protected as we enhance our Nation’s cybersecurity: 

1. Proactively engage with program managers and staff to identify cybersecurity 
activities; 

2. Identify any potential privacy or individual rights concerns associated with 
those activities; 

3. Implement proactive privacy and civil liberties protections 

4. Assess activities in a way to minimize risks to privacy and individual rights; 

5. Develop policies and procedures to mitigate any remaining risks to individual 
rights. 

The Department recognizes that the involvement of the privacy and civil rights 
and civil liberties advocacy community is helpful both for purposes of establishing 
an advisory relationship and for building robust oversight into security processes. 
For EO and PPD implementation, DHS hosted five sessions with these communities 
to educate them on the Department actions for critical infrastructure security and 
resilience and to solicit their expert guidance as programs are put into place. 

Privacy is an integral component of the DHS cyber mission. Within the Office of 
Cybersecurity and Communications (CS&C), the ECS program and the National 
Cybersecurity Protection System (NCPS), or EINSTEIN, are good examples of how 
DHS builds privacy and civil liberties protections into cyber activities. DHS con- 
ducted both classified and unclassified Privacy Impact Assessments (PIA) for both 
programs, to fully assess the privacy protections in place. These PIAs provide a com- 
prehensive understanding of the CS&C cybersecurity programs, further increasing 
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transparency. The DHS Office for Civil Rights and Civil Liberties has also provided 
advice to both ECS and EINSTEIN program leadership since the inception of the 
programs to ensure that appropriate protections are built in. The Office has also 
provided civil liberties training to the U.S. Computer Emergency Readiness Team 
(US-CERT) personnel, articulating principles for operators to ensure the protection 
of individual rights. 

Specifically, the ECS program exemplifies how the Department is working to 
build cybersecurity partnerships based off of transparency and privacy protections. 
ECS is a voluntary information sharing program through which the Federal Govern- 
ment provides sensitive and classified cyber threat indicators to Commercial Service 
Providers (CSP), enabling them to augment the cybersecurity services available to 
critical infrastructure entities. ECS does not monitor private networks or commu- 
nications. While CSPs may provide anonymized, aggregated information about en- 
countered threats, this high-level information is strictly used to ascertain the effec- 
tiveness of information sharing and to help DHS better respond to critical infra- 
structure’s needs. 

Additionally, DHS conducts quarterly reviews of indicators and signatures and 
has conducted an overall Privacy Compliance Review of the EINSTEIN program. We 
also work to ensure that NPPD collects only the data necessary to support computer 
network defense activities. Standard operating procedures ensure that we minimize 
data collection to only the information that we determine is analytically relevant to 
pre-defined known or suspected cyber threats. 

This commitment to the protection of privacy and civil liberties in DHS 
cybersecurity activities is longstanding. As part of the Cyberspace Policy Review 
conducted by the administration in 2009, the Department met with privacy and civil 
liberties advocates and academics (at a Top Secret/Sensitive Compartmented Infor- 
mation [TS/SCI] level) to discuss the Advanced Persistent Threat landscape and the 
Federal Government response. That meeting led to the creation of a subcommittee 
of DHS’s Data Privacy and Integrity Advisory Committee (DPIAC), which is briefed 
regularly at the TS/SCI level. Last year, the DPIAC subcommittee produced a report 
that sets forth recommendations for DHS to consider when evaluating the effective- 
ness of cybersecurity pilots and for specific privacy protections for DHS to consider 
when sharing information from a cybersecurity pilot with other agencies. 


Questions Submitted by Senator Mary L. Landrieu 

CYBERSECURITY ROLE FOR THE NATIONAL GUARD 

Question. On June 13, 2013, the day of the Appropriations Committee hearing en- 
titled “Cybersecurity: Preparing for and Responding to the Enduring Threat”, the 
Committee received a report from the Department of Homeland Security (DHS) and 
Department of Defense (DOD) which was due to Congress on May 1, 2012 as pre- 
scribed in the joint explanatory statement accompanying the fiscal year 2012 DHS 
Appropriations Act (Public Law 112-74). The purpose of the report was to outline 
the capabilities of a coordinated response to a cyber attack by DHS and the National 
Guard and how critical relationships can be established across the agencies to fulfill 
cybersecurity responsibilities. The information provided, which was submitted sepa- 
rately by the two agencies, outlines on a high-level, the programs DHS and DOD 
(as a whole) are maintaining for a response. Unfortunately, the report falls short 
of providing Congress an understanding of the DHS and National Guard’s capacity 
to respond to a cyber attack jointly. In order for Congress to better understand the 
gap between capacity and need, a sense of scope is required. 

How many National Guard cybersecurity personnel currently exist, and where? 
Are they employed in teams or individually? If they are employed in teams, how 
many teams are there and where are they located? 

As DOD and DHS are building the capacity the Federal Government needs to pro- 
tect against and respond to a cyber attack: what specific role is being considered 
for the National Guard; and how is the Guard’s ability to switch between title 32 
authorities and title 10 authorities being taken into consideration? 

Is there a cost savings associated with utilizing the National Guard based on cur- 
rent training? How much? 

Are there skills identified within the National Guard that cut down the time 
needed to train a cyber airman or soldier to be able to respond to a cyber attack? 

Answer. Successful response to dynamic cyber threats requires leveraging home- 
land security, law enforcement, and military authorities and capabilities, which re- 
spectively promote domestic preparedness, criminal deterrence and investigation, 
and national defense. DHS, the Department of Justice (DOJ), and the Department 
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of Defense (DOD) each play a key role in responding to cybersecurity incidents that 
pose a risk to the United States. While each agency operates within the parameters 
of its authorities, the U.S. Government’s response to cyber incidents of consequence 
is coordinated among these three agencies such that “a call to one is a call to all.” 
Synchronization among DHS, DOJ, and DOD not only ensures that whole-of-govern- 
ment capabilities are brought to bear against cyber threats, but also improves the 
Federal Government’s ability to share timely and actionable cybersecurity informa- 
tion among a variety of partners, including the private sector. In terms of specific 
National Guard activities, DHS defers to DOD. 

CYBER TEST BEDS/RANGES 

Question. General Alexander testified that the services, departments, and agen- 
cies need to work together to ensure that they have adequate test bed and range 
space to safely organize, train, and equip the cyber warriors, operators, managers, 
researchers, and agents across the Federal Government. 

What are the specific requirements that your departments and their various agen- 
cies have for test bed and range space? What specific outcome will those established 
requirements render in trained personnel and tactics? 

Answer. The Department has a variety of requirements for test beds and range 
space, which DHS uses for internal employee training exercises, broader 
cybersecurity training for owners and operators within each of the 16 critical infra- 
structure sectors, and joint cyber exercises with partners. DHS likewise has long- 
standing requirements for a research-focused test bed that allows for the realistic 
and at-scale evaluation of innovative defensive technologies. 

Improving cybersecurity is a global challenge and, as a critical piece of research 
infrastructure, the test bed needs to be accessible to international researchers. The 
Experimental Research Testbed project (formerly the Cyber Defense Technology Ex- 
periment Research Testbed Program or DETER) began in 2004 as a joint effort be- 
tween the DHS Science and Technology Directorate (S&T) and the National Science 
Foundation (NSF) to address the need to research and understand new 
cybersecurity risks and threats in a safe environment. This international access re- 
quires that the test bed operate without classification restrictions or technology re- 
stricted by International Traffic in Arms Regulations (ITAR). The test bed must be 
securely accessible over the Internet so as to not require international researchers 
to have to travel to the physical location of the test bed. Additionally, since DHS 
S&T is focused on not only operating a research test bed, but also on conducting 
research to advance state-of-the-art test bed technology, it is critical that the soft- 
ware utilized is available as Open Source. Put simply, the availability of Open 
Source software allows researchers to transition technology advances to additional 
facilities. The software used in the test bed has been transitioned to four other fa- 
cilities and is in the process of being deployed internationally. Test beds at those 
additional facilities can be connected together through “federation” techniques and 
experiments spanning multiple facilities can be conducted accordingly. This federa- 
tion allows for greater capacity and access to unique resources, such as the power 
system test bed at the University of Illinois — Urbana Champaign. 

Other agencies use the Experimental Research Testbed as a platform to develop 
and evaluate defensive mechanisms against cyber attacks on infrastructure. For ex- 
ample, the Defense Advanced Research Projects Agency (DARPA) currently uses the 
test bed as a consolidated evaluation platform for one of its programs — a leveraging 
of resources that saves DARPA the time and expense of constructing individual test 
beds for its six participants. In return, DARPA has provided both hardware and up- 
grades to the Experimental Research Testbed project. 

Question. What is the current test bed and range capacity available to each of 
your departments? What is the wait time or backlog based on the access you cur- 
rently have? 

Answer. Currently, the Experimental Research Testbed has more than 3,500 ac- 
tive users from 29 different countries and is comprised of nearly 700 PC-based 
nodes spread between California and Virginia. It is a shared resource capable of 
running hundreds of concurrent experiments. The capacity of the test bed is en- 
hanced by state-of-the-art virtualization techniques that intelligently assign re- 
sources to different components of an experiment based upon the level of fidelity 
needed. This capability is under active development and is allowing the test bed’s 
capacity to continually grow without requiring additional hardware. 

For smaller scale experiments, there is generally no wait time for researchers. For 
larger experiments that require the dedication of a large portion of the test bed, re- 
searchers may be required to wait several days until enough resources can be dedi- 
cated. The test bed is also used as a learning environment by over 70 college and 
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university classes per semester. Test bed access therefore can become constrained 
during finals when large numbers of students attempt to access it to finish assign- 
ments. 

Question. Have you identified additional test bed or range space that you would 
like to acquire, use, or lease? 

Answer. DHS S&T is collaborating with NSF to conduct a comprehensive study 
across the cybersecurity research landscape to determine future requirements. This 
study is expected to be completed in mid-fiscal year 2014 and will be used to iden- 
tify what additional test bed capabilities and capacity are required. 

Question. What are the fiscal years 2013 and 2014 funding levels for testing and 
training space? 

Answer. DHS S&T will be funding the Experimental Research Testbed project at 
$4.8 million in fiscal year 2013, and plans to fund it at $4.8 million in fiscal year 
2014. 

Question. What percentage of your required testing and training needs will you 
be able to meet in fiscal years 2013 and 2014? 

Answer. DHS S&T’s Experimental Research Testbed project currently fulfills the 
identified test bed requirements for cybersecurity research. The capabilities and ca- 
pacity of the test bed will continue to improve in order to better address advancing 
threats and increasingly complex research challenges. 

ROLE OF THE SECRET SERVICE IN CYBER INVESTIGATIONS 

Question. On March 13, 2013, Jenny A. Durkan, United States Attorney, Western 
District of Washington, testified before the House of Representatives Committee on 
Judiciary, Subcommittee on Crime, Terrorism, Homeland Security, and Investiga- 
tions, discussing “Investigating and Prosecuting 21st Century Cyber Threats.” In 
her testimony she highlighted eight significant cyber investigations, four of which 
were Secret Service cases, a component of DHS. 

We hear much about DHS’s role in the securing of cyber space; what is DHS’s 
role in investigating cyber crimes targeting our financial infrastructure? 

Answer. DHS’s law enforcement components are essential to securing the Nation 
from cyber criminals and cyber attacks. Investigating, arresting, and supporting the 
successful prosecution of criminal cyber actors is a critical element of the Depart- 
ment’s strategy to safeguard and secure cyberspace. Effective investigations identify 
and lead to the arrest of the individuals and groups behind cyber attacks and other- 
wise disrupt the criminals responsible for such attacks. During the course of their 
investigations, DHS law enforcement components also develop criminal intelligence 
that can provide public and private sector entities with the knowledge and tools nec- 
essary to detect and disrupt future attacks. 

Industry representatives such as Symantec estimate that cyber crime costs the 
U.S. taxpayer more than $110 billion annually. 1 While public discourse tends to cen- 
ter on the potential for national-level cyber attacks, cyber crime in the aggregate 
does serious damage to our Nation every day, and fighting cyber crime is an impor- 
tant part of keeping our Nation safe and our economy strong. DHS, through the in- 
vestigative authority of the U.S. Secret Service, is focused on protecting the Nation’s 
financial system from exploitation by cyber criminals. The U.S. Secret Service has 
adapted its investigative techniques over the years to address the emerging trends 
of cyber criminals. For example, since passage of the Comprehensive Crime Control 
Act of 1984, the U.S. Secret Service has arrested over 30,644 individuals for 
cybercrime violations with an attributed fraud loss of over $2.7 billion and potential 
fraud loss of over $33 billion. 

In 2001, Congress likewise recognized the U.S. Secret Service for its expertise in 
preventing, detecting, and investigating potential attacks against critical infrastruc- 
ture and financial payment systems and directed the agency to develop a national 
network of Electronic Crimes Task Forces based on the successful model of the New 
York Electronic Crimes Task Force. Today, the U.S. Secret Service operates 31 do- 
mestic and international Electronic Crimes Task Forces that merge the skills and 
knowledge of representatives from Federal, State, local, private industry, and aca- 
demic partners in furtherance of protecting the Nation’s critical infrastructure and 
financial payment systems from cyber crime. In fiscal year 2012, the U.S. Secret 
Service arrested 1,378 individuals for cyber crime violations responsible for over 
$355 million in fraud losses and over $1.2 billion in potential losses. These inves- 


1 Norton 2012 Cybercrime Report: http://www.norton.com/2012cybercrimereport 

Ponemon Cost of Cybercrime (if extrapolated): http://www8.hp.com/us/en/hp-news/press-re- 
lease.html?id=1303754 
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tigations culminated with the Department of Justice attaining a 99.6-percent convic- 
tion rate for these cases. 

We also work with a variety of international partners to combat cybercrime. For 
example, through the U.S.-EU Working Group on Cybersecurity and Cybercrime, 
which was established in 2010, we develop collaborative approaches to a wide range 
of cybersecurity and cybercrime issues. In 2011, DHS participated in the Cyber At- 
lantic tabletop exercise, a U.S.-EU effort to enhance international collaboration of 
incident management and response, and in 2012, DHS and the EU signed a joint 
statement that advances transatlantic efforts to enhance online safety for children. 
U.S. Immigration and Customs Enforcement (ICE) also works with international 
partners to seize and destroy counterfeit goods and disrupt Web sites that sell these 
goods. Since 2010, ICE and its partners have seized over 2,000 domain names asso- 
ciated with businesses selling counterfeit goods over the Internet. To further these 
efforts, the administration issued its Strategy on Mitigating the Theft of U.S. Trade 
Secrets last month. DHS will act vigorously to support the Strategy’s efforts to com- 
bat the theft of U.S. trade secrets — especially in cases where trade secrets are tar- 
geted through illicit cyber activity by criminal hackers. 

In addition, since opening in May of 2008, the National Computer Forensics Insti- 
tute (NCFI) has held over 90 Cyber and Digital Forensics courses in 13 separate 
subjects. The NCFI has trained more than 2,000 State and local investigators, pros- 
ecutors, and judges. This institution serves as the Nation’s only center dedicated to 
instructing State and local law enforcement in digital forensics and equips grad- 
uates to conduct network intrusion and electronic crimes investigations. Several 
hundred prosecutors and judges, as well as representatives from the private sector, 
have also received training on the impact of network intrusion incident response, 
electronic crimes investigations, and computer forensics examinations. 

DHS is committed to working with its partners across government and the private 
sector to protect the Nation’s critical financial infrastructure from cyber attack. To 
achieve this goal, DHS will bring to bear the tremendous investigative resources of 
its law enforcement components against those who attempt to do us harm. 

Question. Would you characterize the recent $45 million ATM scheme, inves- 
tigated by the Secret Service among others, as representative of a trend in global 
cybercrime? 

Answer. The facts relayed in the recently unsealed indictments against eight of 
the individuals involved in the theft of over $45 million from various ATMs in New 
York City are an example of the highly sophisticated, organized, transnational 
cyber-criminal activity impacting the Nation’s financial system. This case is just one 
example of a number of recently “unlimited cash-out” operations conducted in a 
highly coordinated fashion by transnational networks of cyber criminals. 

The ATM case demonstrates, as numerous cybersecurity experts have confirmed 
in testimony before congressional committees, that the majority of network intru- 
sions are carried out by criminal actors whose sole motivation is financial gain. The 
suspects distributed the stolen data to organized crews of street criminals in more 
than 20 countries who then encoded the information on magnetic-stripe plastic 
cards. While this particular case was conducted by a transnational network of high- 
ly technical hackers, other U.S. Secret Service investigations have demonstrated 
that many financial intrusions are successfully executed against networks because 
of weak or stolen credentials. DHS is committed to not only reducing this threat 
through effective investigations, but also working with financial institutions through 
the Financial Services Information Sharing and Analysis Center to help them better 
secure their computer systems. 

Question. What additional resources might be needed by the investigative arms 
of DHS to properly combat this type of fraud? 

Answer. Investigating cybercrime requires highly trained and experienced crimi- 
nal investigators. ICE and the U.S. Secret Service are expanding participation in 
the existing Electronic Crimes Task Forces (ECTF), which will strengthen the De- 
partment’s cybercrimes investigative capabilities and realize efficiencies in the pro- 
curement of computer forensic hardware, software licensing, and training. The U.S. 
Secret Service-led ECTF model has been in existence for over 20 years. Hiring and 
training additional law enforcement investigators in the U.S. Secret Service would 
enhance the Department’s capacity to respond to and investigate cybercrime di- 
rected at the Nation’s financial infrastructure. Additional resources would also allow 
DHS to increase the capacity of the Secret Service’s network of ECTFs and further 
develop its international cyber investigative working groups to respond to 
transnational threats to critical infrastructure. 

Improving cybersecurity requires public-private partnerships, and the vast scope 
of cybercrime directed at the United States means that our partners at the State, 
local, and tribal governmental levels are vital to the national effort. In order to de- 
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velop State and local capacity to investigate cybercrimes, the U.S. Secret Service op- 
erates the NCFI in Hoover, Alabama. This facility is the Nation’s only federally 
funded training center dedicated to instructing State and local law enforcement offi- 
cials about the complexities associated with cybercrime investigations. The NCFI is 
capable of training over 2,000 State and local police investigators, prosecutors and 
judges in cybercrime investigations every year. Since 2008, the NCFI has been fund- 
ed annually at §4 million. The current level of funding, for example, allowed NCFI 
to train and equip over 600 police investigators, prosecutors and judges in 2012. 
These officials have come from all 50 States and three U.S. territories. 

Cyber criminals often operate outside the borders of the United States, and re- 
lated investigations accordingly require extensive cooperation with international law 
enforcement agencies. Additionally, law enforcement agencies have long recognized 
that the most critical capability for transnational organized crime is to quickly and 
quietly move large quantities of money across borders. The anonymity of cyberspace 
affords a unique opportunity for criminal organizations to launder huge sums of 
money undetected. The cyber crime investigations of the U.S. Secret Service depend 
heavily on developing and maintaining effective international law enforcement part- 
nerships. The Department of State and the Department of Justice are critical part- 
ners in developing these international relationships and in the execution of inter- 
national law enforcement action through multilateral assistance treaties. Funding 
to support the international investigations of DHS law enforcement components, 
training for its international law enforcement foreign partners, and associated inves- 
tigative travel costs would enhance DHS’s investigative capabilities. 

Question. What will be the impact of the dismantling of Liberty Reserve and their 
digital currency system by the Secret Service, its Electronic Crimes Task Forces, 
Immigration and Custom Enforcement investigators, and the IRS on illegal cyber 
money laundering operations? 

Answer. Over the course of its 7-year existence, Liberty Reserve emerged as the 
principal means by which cyber criminals around the world distributed, stored, and 
laundered the proceeds of illegal activity. Liberty Reserve facilitated a broad range 
of online criminal activity, including narcotics trafficking, child pornography, com- 
puter hacking, investment fraud, credit card fraud, and identity theft. Annually, 
Liberty Reserve processed more than 12 million financial transactions with a com- 
bined value of $1.4 billion. Since its founding in 2006, Liberty Reserve processed an 
estimated 55 million separate financial transactions and is believed to have 
laundered more than $6 billion in criminal proceeds. 

The dismantling of Liberty Reserve by the U.S. Secret Service and its partners 
in the Global Illicit Financial Team — IRS-CI and ICE-Homeland Security Investiga- 
tions (HSI) — significantly impacted the cyber criminal community, forcing cyber 
criminals to seek alternative means to fund their illicit activities. 

ROLE OF DHS IN CAPABILITY BUILDING FOR LAW ENFORCEMENT CYBER INVESTIGATIONS 

Question. We are seeing more examples of cyber threats being encountered and 
responded to by State and local law enforcement officials. In many instances, how- 
ever, these officials do not have the appropriate type of training to fully understand 
what they are investigating may go beyond the incident they have encountered. 

Is DHS involved in developing the cyber law enforcement capabilities of State, 
local, and tribal entities for investigating these types of cyber crimes? 

Is this an appropriate role for DHS agencies to fulfill? 

Answer. DHS has a well-established role in developing and supporting State, 
local, tribal, and territorial (SLTT) capabilities. Included are the efforts of numerous 
components to develop SLTT capabilities and operational relationships to effectively 
investigate cyber crime. For example, the first U.S. Secret Service ECTF that was 
established in 1995 boosted cyber law enforcement capabilities in coordination with 
State and local authorities. Since 2001, when Congress directed that a nationwide 
network of ECTFs be established, the U.S. Secret Service has worked in partnership 
with SLTT authorities, the private sector, and academia to develop cyber capabili- 
ties for the common purpose of preventing, detecting, and investigating various 
forms of electronic crimes, including potential terrorist attacks against critical infra- 
structure and financial payment systems. 

In partnership with the State of Alabama, the Secret Service established the 
NCFI in Hoover, Alabama, for the purposes of training SLTT law enforcement offi- 
cials on cyber law enforcement methods and techniques. Since opening in 2008, the 
NCFI has trained over 2,000 State and police investigators, prosecutors, and judges 
in cybercrime investigations. These officials have come from all 50 States and three 
U.S. territories. The investigators trained by the NCFI are nominated by local Se- 
cret Service field offices where they can apply their skills as members of the ECTFs. 
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When it opened in 2008, the NCFI offered instruction in one of five cyber inves- 
tigation curriculums. As of 2013, the NCFI offers 13 separate curriculums designed 
to address developing cyber trends. For example, the NCFI worked last year with 
DHS to develop cyber analytical training for State and local law enforcement mem- 
bers staffing the cyber intelligence fusion centers throughout the Nation. An intra- 
agency agreement between the Federal Emergency Management Agency and the Se- 
cret Service will allow the NCFI to fund three more cyber analyst courses for fusion 
center members this year. Additionally, in August 2012, the NCFI partnered with 
the Federal Bureau of Investigation to conduct two NCFI training courses to State 
and local law enforcement officials assigned to the FBI’s National Domestic Commu- 
nications Assistance Centers. Currently, the NCFI operates at 25 percent of its ca- 
pacity on a $4 million annual budget. Additionally, the NCFI through its curriculum 
established a national standard of training in cybercrime investigations, network in- 
trusion response, computer forensics, and electronic crime prosecution. 

ICE-HSI has a workforce that is well-trained to deal with cybercrime. HSI has 
several hundred special agents that routinely deal with cyber crime, and we operate 
ICE’s Cyber Crime Center, or C3, and routinely provide investigative expertise and 
assistance to State, local, and tribal entities when consulted for assistance con- 
cerning transnational cyber crime. These efforts are an appropriate role for HSI to 
fill and to ensure that transnational criminal organizations are fully identified and 
dismantled via successful prosecutions. 


Questions Submitted by Senator Tom Udall 

ROLE OF NATIONAL LABORATORIES IN PROMOTING CYBERSECURITY 

Question. Secretary Beers, our National Labs — which are the crown jewels of our 
Nation’s research system — are active in efforts to promote cybersecurity. 

In my home State of New Mexico, Sandia National Laboratories is engaged in ef- 
forts to secure the national electrical grid from cyber attack. Los Alamos National 
Laboratories is a leader in quantum cryptography. 

Sandia also has partnerships with universities and the private sector. They’re 
helping computer science students become cyber professionals. 

Could you discuss what role our National Labs should have in protecting our Na- 
tion from cyber attack? 

Answer. The National Labs are essential for providing enduring and multi-dis- 
ciplinary research and development capabilities to help solve complex national secu- 
rity problems, including cyber-related problems. Among other things, the Labs pro- 
vide unique facilities and infrastructure in support of talented subject matter ex- 
perts who work to develop technologies and other solutions that help the Nation 
protect against and recover from cyber attacks. The S&T Cyber Security Division 
(CSD) has had great success in working with the Labs on several key cybersecurity 
initiatives. For example: 

— S&T CSD has frequently worked with Sandia National Labs to red-team devel- 
oped cybersecurity solutions. 

— The Pacific Northwest and Oak Ridge National Labs currently serve as prin- 
cipal investigator researchers for a number of S&T CSD’s research and develop- 
ment contracts. 

— The S&T CSD Transition to Practice Program is currently working with mul- 
tiple National Labs (Sandia, Los Alamos, Lawrence Livermore, Oak Ridge, and 
Pacific Northwest) to transition numerous developed cybersecurity technologies 
into the government and private sectors. 

NPPD also works with DHS S&T to ensure that cybersecurity research and devel- 
opment efforts are fully coordinated with ongoing programmatic requirements. With 
Pacific Northwest and Sandia National Labs, the Deputy Assistant Secretary for 
Cybersecurity Coordination participates in external review boards to review and 
shape research conducted at these Labs and to gain insight into research areas that 
may meet NPPD and S&T requirements in cybersecurity. S&T and the Homeland 
Security Enterprise should continue to leverage the strengths of the National Labs 
in cybersecurity to help respond to and mitigate the threats from cyber attacks. 

In addition, the National Labs provide advanced modeling, simulation and anal- 
ysis, and cyber training. This includes work with the National Infrastructure Sim- 
ulation and Analysis Center, a joint partnership with Sandia and Los Alamos to 
identify and address potential impacts to the sectors from possible cyber-related in- 
cidents and consequence analysis with the DHS NPPD Homeland Infrastructure 
Threat and Risk Analysis Center (HITRAC). HITRAC also works on ascertaining 
impacts from cyber manipulation of industrial control systems including leveraging 
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the expertise of Idaho National Labs as a partner. This analysis can inform part- 
ners, policymakers, and homeland security professionals about the potential con- 
sequences of a cyber-related incident and sector resilience to such events. 

MOBILE PHONES AND CYBERSECURITY AWARENESS 

Question. Secretary Beers, this year, there will be more mobile phones than peo- 
ple on the planet. Today, our wireless devices are not just phones, but pocket com- 
puters. We use them for sensitive transactions, including mobile banking and online 
purchases. 

But GAO recently found that cyber threats are increasing for mobile devices and 
the information they store. GAO recommended that DHS and NIST work together 
to “establish a baseline measure of consumer awareness . . . related to mobile se- 
curity.” GAO also recommends the development of performance measures that use 
the baseline to assess the effectiveness of initiatives to educate the public about 
cybersecurity. 

Could you share any thoughts on how best to raise public awareness for cyber se- 
curity threats to mobile devices? 

Answer. Public awareness is best developed in partnership with the mobile device 
communications service providers, which have a financial interest in the quality of 
their service. Part of that quality of service would include ensuring proper protec- 
tion of their customers’ mobile devices. Increased awareness and the capabilities 
sought can be developed through thoughtful engagement with standing advisory 
groups such as the National Security Telecommunications Advisory Committee. 

Part of the engagement might focus on consumer and supplier adoption of the up- 
date practices similar to those used to protect desktop systems. Anti-malware pro- 
tection and timely updates of applications and operating systems is just as impor- 
tant for mobile devices (phones and tablets) as for desktop computers. The same is 
true for other networked devices like multifunction printers that themselves host so- 
phisticated operating systems and applications. 

Mobile banking and third-party payment systems continue to increase in popu- 
larity due to the efficiencies they provide to the consumer and financial institutions. 
This has resulted in cybersecurity challenges that merit attention. As part of DHS’s 
responsibilities to secure key conveyances in the global economy and the U.S. Secret 
Service’s role to protect the financial system from criminal exploitation, the Depart- 
ment works closely with its partners across government and in the private sector 
to not only raise awareness of these risks, but establish effective ways to mitigate 
these growing risks. Recently the Federal Deposit Insurance Corporation (FDIC) 
published information about the current landscape of mobile banking. As a starting 
point for financial institutions seeking to adopt mobile banking services, the FDIC 
references risk management strategies outlined in the Federal Financial Institu- 
tions Examination Council IT Examination Handbook. That handbook, however, 
does not discuss mobile devices specifically. The FDIC’s statements instead relate 
to mobile banking and not necessarily mobile payment systems. 

While there accordingly may be some good cybersecurity work being done on the 
mobile banking side, the consumer likely does not make a distinction and may as- 
sume the same level of cybersecurity attaches whether they use mobile banking or 
mobile payment systems. For example, most users connect their mobile payment 
systems, such as PayPal, directly to their checking accounts or other bank accounts. 
Disparate levels of cybersecurity between the two could result in a systemic security 
risk, where a compromise to one (mobile payment systems) has the potential for 
causing loss in both. In essence, both become a single system with shared, lowest- 
denominator, vulnerability. More broadly, current third-party application security is 
primarily based on device/operating system policies regarding application signing 
and privileges. Unfortunately, the devices must rely on transmission protocols (like 
SMS) that were not designed with security in mind. For example, the U.S. Secret 
Service Cell Phone Forensic Facility at the University of Tulsa is working to show 
how SMS payment systems can be attacked using simple and widely available wire- 
less devices. Further research is needed to assess all attack vectors to determine 
what further mitigation is necessary. 

The Federal Government can raise public awareness about mobile device cyber 
risk by continuing to support fundamental research to identify vulnerabilities and 
to develop effective mitigation and protection measures. Both the U.S. Secret Serv- 
ice’s Cell Phone Forensics Facility at the University of Tulsa and its ongoing part- 
nership with Carnegie Mellon CERT serve as outstanding examples of how the Fed- 
eral Government can effectively partner with academia for this purpose. S&T has 
launched a research program to improve the security of mobile devices and enable 
better detection of malicious applications. These research efforts not only serve to 
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raise awareness of these sorts of vulnerabilities, but also to develop effective mitiga- 
tion and protection measures. 

Question. What is the proper role for government and industry to promote best 
practices for both companies and consumers? 

Answer. Government and industry are well positioned to collaboratively promote 
best practices for companies and consumers. Government can measure awareness 
across a large consumer base and use this baseline measure to further assess its 
performance as it employs public cybersecurity awareness initiatives, such as the 
Stop.Think.Connect.™ campaign. In addition, as the developer, producer, and con- 
sumer of mobile device products, industry has an invaluable sense of which security 
practices are effective. Government can convene and organize collaborative proc- 
esses that ensure the best practices from within Government and from across indus- 
try are brought together and made available to wide range of consumers, both tech- 
nical and nontechnical. Where appropriate, Government can build these best prac- 
tices into its outreach and awareness efforts. 

Among its activities, DHS provides and promotes a trusted environment for ex- 
change of information between industry mobile device communications service pro- 
viders, manufacturers, and Government in order to identify and develop consensus 
on best practices in mitigating the ongoing emerging cyber threats being deployed 
to exploit privacy of their mobile devices. The best practices are pushed to the public 
through industry partners and Government outreach. 

Currently, DHS promotes cybersecurity and resilience via enhanced processes and 
diagnostics in partnership with industry and academia. DHS enables public-private 
collaboration focused on reducing exploitable software weaknesses and addressing 
means to improve capabilities that routinely develop, acquire, and deploy resilient 
information technology (IT) products. Among its activities, DHS: 

— Enables partners and citizens to secure their part of cyberspace by providing 
public-private collaboration in advancing security and resilience of IT through- 
out the lifecycle; 

— Focuses on reducing exploitable weaknesses and addressing means to improve 
capabilities that routinely develop, acquire, and deploy resilient products; 

— Enables security automation and measurement through the use of common in- 
dexing, reporting and scoring capabilities for malware, exploitable software 
weaknesses, counterfeit and tainted hardware, and common attacks on IT as- 
sets. 


Questions Submitted by Senator Thad Cochran 

Question. All witnesses, we have heard about the importance of cooperation and 
clearly defined lanes responsibility across the Federal Government for our 
cybersecurity efforts. What are your respective roles in receiving and sharing threat 
information with the private sector? 

Answer. The success of DHS’s cyber mission relies heavily on the response to dy- 
namic cyber threats through the leveraging of homeland security, law enforcement, 
and military authorities and capabilities, which respectively promote domestic pre- 
paredness, criminal deterrence and investigation, and national defense. DHS, the 
Department of Justice (DOJ), and the Department of Defense (DOD) each play a 
key role in responding to cybersecurity incidents that pose a risk to the United 
States. While each agency operates within the parameters of its authorities, the 
Federal Government’s response to cyber incidents of consequence is coordinated 
among these three agencies such that “a call to one is a call to all.” Synchronization 
among DHS, DOJ, and DOD not only ensures that whole-of-government capabilities 
are brought to bear against cyber threats, but also improves the Federal Govern- 
ment’s ability to share timely and actionable cybersecurity information among a va- 
riety of partners, including the private sector. 

For its part, the DHS cyber mission relies on its ability to establish shared situa- 
tional awareness of potentially harmful activity, events, or incidents across multiple 
constituencies to improve the ability of diverse and distributed partners to protect 
themselves. To do this, the DHS National Cybersecurity and Communications Inte- 
gration Center (NCCIC) incorporates information and data received through its own 
analysis, Intelligence Community, and law enforcement reporting, along with data 
shared by private sector and international partners into a comprehensive series of 
actionable information products, which are shared with partners in easy to digest 
machine-readable formats. 

Multidirectional sharing of alerts, warnings, analysis products, and mitigation 
recommendations among Federal, State, local, tribal, and territorial governments, 
private sector, information sharing and analysis centers, and international partners 
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is a key element of the NCCIC’s cyber and communications protection and preven- 
tion framework. The NCCIC continuously works with a broad range of partners to 
explore and innovate new ways to enhance information sharing and move closer to 
network speed communications. 

In order to meet DHS’s public-private cybersecurity data sharing and analytical 
collaboration mission, the Department has developed a critical infrastructure Cyber 
Information Sharing and Collaboration Program (CISCP) and the Enhanced 
Cybersecurity Services (ECS) program. The CISCP program mission is to improve 
the defensive posture of DHS’s critical infrastructure partners by: 

— Sharing a view of current threats and vulnerabilities affecting both critical in- 
frastructure and Federal Government sources among Federal Government and 
industry cybersecurity analysts. 

— Aligning those analysts in collaborative engagements regarding cyber threat de- 
tection, prevention, mitigation, and response efforts to reduce risks to critical 
infrastructure information technology and communications networks, systems, 
and data. 

The goal of the CISCP program is an effective information sharing framework 
among the Federal Government, Information Sharing and Analysis Centers and re- 
lated organizations, information and communications technology service providers, 
and their respective critical infrastructure owner/operator members and customers. 

Within the CISCP program, Federal Government and industry partners con- 
tribute threat data, adding to the volume of information currently available for anal- 
ysis by the DHS CISCP analytical team. Because the act of providing threat or at- 
tack data may harm competitive or other commercial interests of DHS’s industry 
partners, significant steps are taken by the CISCP Team to both conceal the source 
of data provided and to protect Protected Critical Infrastructure Information (PCII). 
First, all data is anonymized so that analysis of submitted data is not carried out 
or based upon the identity of the submitter absent their express authorization. The 
CISCP program data is governed using the Traffic Light Protocol (TLP), which is 
a set of designations used to ensure that sensitive information is shared with the 
correct audience. It employs four data-sharing categories (red, amber, green, and 
white) to indicate different degrees of sensitivity and the corresponding sharing con- 
siderations to be applied by the recipients. Regular analyst-to-analyst technical 
threat exchanges (both classified and unclassified) involving Federal Government 
and industry partners are likewise held to share details of cyber threat activity and 
mitigation recommendations. To join CISCP, stakeholders sign a Collaborative Re- 
search and Development Agreement that provides them with opportunities to estab- 
lish physical access to DHS’s NCCIC watch floor and to receive clearances up to the 
TS/SCI level. 

In addition to the CISCP program, DHS actively collaborates with public and pri- 
vate sector partners every day through the ECS program to respond to and coordi- 
nate mitigation efforts against attempted disruptions and adverse impacts to the 
Nation’s critical cyber and communications networks and infrastructure. Expanded 
in February 2013 by EO 13636, the ECS program coordinates the protection, pre- 
vention, mitigation, and recovery from cyber incidents through information sharing 
initiatives with business owners and operators to strengthen their facilities and 
communities. ECS is a voluntary information sharing program that assists critical 
infrastructure owners and operators as they improve the protection of their systems 
from unauthorized access, exploitation, or data exfiltration. ECS augments, but does 
not replace, an entity’s existing cybersecurity capabilities; rather it responds to high 
level malware threats that DHS, working with other experts, has determined pose 
the greatest threat to critical infrastructure. 

DHS works with cybersecurity organizations from across the Federal Government 
to gain access to a broad range of sensitive and classified cyber threat information, 
and in responding to major cyber incidents also comes into possession of such infor- 
mation. It would ordinarily be difficult to share classified and sensitive information 
about high-level cyber threats with a broad range of private sector partners. Doing 
so could jeopardize intelligence sources and methods as well as law enforcement in- 
vestigations. It likewise could undercut private sector partners who provide DHS 
with threat information under the categorical exclusion (confidentiality assurance) 
provided available under the PCII authorities. 

DHS develops indicators based on threat information and shares it with a rel- 
atively small number of qualified CSPs, thus enabling them to better protect their 
customers who are critical infrastructure entities. In addition, the ECS program 
does not involve Government monitoring of private networks or communications; 
any monitoring is strictly voluntary, and solely occurs between the CSP and the pro- 
tected critical infrastructure entity. Collection of communications content, and for 
that matter metadata, is not directed, or permitted under the ECS program. The 
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information returned to the Federal Government by the CSPs is limited to 
anonymized, aggregated information about the threats detected, and the critical in- 
frastructure sectors at which the threats were directed. Any information shared by 
a CSP customer is done so voluntarily, in an anonymized fashion, and for a limited 
tenure. CSPs or critical infrastructure entities may choose to be involved with the 
Federal Government in other ways — for instance reporting a cybercrime or seeking 
technical assistance in case of a major cyber incident — but such involvement is not 
related to the conduct of the ECS program and occurs independently of it. 

The U.S. Secret Service also shares information that it derives through its cyber 
crime investigations, primarily through its 31 Electronic Crimes Task Forces 
(ECTF). The ECTFs hold quarterly meetings to share information with the U.S. Se- 
cret Service’s public and private sector partners, in addition to providing a conduit 
for sharing information with organizations facing specific cyber risks. In addition to 
ECTFs, the U.S. Secret Service and U.S. Immigration and Customs Enforcement 
(ICE) Homeland Security Investigations (HSI) support research efforts that provide 
extensive and detailed data on cyber crime trends. These reports include the 
Verizon Data Breach Investigations Report, the Trust Wave Global Security Report, 
and the U.S. Secret Service Computer Emergency Response Team’s (USSS-CERT) 
Insider Threat Report. In addition to these annual research reports, the U.S. Secret 
Service regularly sends special agents trained through the agency’s Electronic 
Crimes Special Agent Program to speak at cybersecurity and law enforcement con- 
ferences. The agents provide information to improve awareness of cybercrime meth- 
ods and trends. 

Question. All witnesses, I think we all recognize the importance of defending our 
Nation’s critical infrastructure against cyber attacks. A foreign or terrorist cyber at- 
tack on our electric grid, water systems, or financial systems could cause widespread 
damage and even have detrimental effects on our economy and consumer confidence. 
There has been much discussion about how involved the Federal Government should 
be in defending infrastructure owned by non-Federal entities. How would you define 
the threshold for what types of non-Federal infrastructure might qualify as “critical” 
for these purposes? 

Answer. The term “critical infrastructure” is defined in section 1016(e) of the USA 
Patriot Act of 2001 (42 U.S.C. 5195c(e)), namely systems and assets, whether phys- 
ical or virtual, so vital to the United States that the incapacity or destruction of 
such systems and assets would have a debilitating impact on security, national eco- 
nomic security, national public health or safety, or any combination of those mat- 
ters. This definition is used to determine which infrastructure, whether it is owned 
by a Federal entity or not, qualifies as critical. 

Question. Deputy Secretary Beers, I recognize the important role that cyber re- 
search and development plays in ensuring we maintain a technological edge against 
those who wish to harm our Nation’s civilian computer systems. I note that your 
department requested fiscal year 2014 funding for such initiatives, including experi- 
mental research testbed projects. Your Department is still a relatively young one 
and you don’t have the robust laboratory network that other Departments have. 
How are you collaborating with other Departments such as Defense and Energy to 
advance important research in cybersecurity and existing University capabilities? 
What are some of the technological challenges that we face? 

Answer. DHS S&T conducts large parts of its cybersecurity research and develop- 
ment (R&D) program in collaboration with other organizations across the Federal 
Government. For example, the S&T Cyber Security Division (CSD) is an active part 
of the National Information Technology Research & Development organization 
(NITRD), which coordinates R&D planning across the Federal Government, char- 
tered through the President’s National Science & Technology Council and the Office 
of Science and Technology Policy. NITRD developed a National Cybersecurity R&D 
Plan, published in December 2011, and has carried forward and sustained this col- 
laborative planning. CSD also leads the working group effort developing the Na- 
tional R&D Plan for Critical Infrastructure Security & Resiliency, which is a 
tasking from the EO 13636/PPD-21 guidance published this past February. 

CSD’s collaboration with other Federal agencies and organizations extends into 
specific R&D program efforts, including but not limited to the following: 

— DHS S&T and the Department of Defense (DOD) collaborate in their Small 
Business Innovation Research (SBIR) program efforts, including a combined an- 
nual review. 

— Department of Energy (DOE) Laboratories are conducting several elements of 
the DHS S&T Cyber Security research program. 

— DHS S&T has accepted several research projects transitioned from the Defense 
Advanced Research Projects Agency 



82 


— The DHS S&T Trustworthy Cyber Infrastructure for the Power Grid program 
is conducted in partnership with DOE. 

The DHS S&T Transition to Practice program is drawing promising cybersecurity 
technologies from the DOE National Laboratories to support its final development 
and transition into operational capability and use. 

The December 2011 NITRD report, “Trustworthy Cyberspace: Strategic Plan for 
the Federal Cybersecurity Research and Development Program,” describes in detail 
the technological challenges that DHS faces. Those challenges fall into four overall 
areas: 

— Advancing a balance of both long-term science and near-term engineering im- 
provements; 

— Understanding and addressing the interconnections of technological and human 
systems; 

— Understanding cyber complexity and addressing major risks and increasing re- 
silience; 

— Transitioning capabilities and improvements into operational use. 

In 2000, the U.S. Secret Service instituted the USSS-CERT liaison program in 
partnership with Carnegie-Mellon University’s Software Engineering Institute (SEI) 
in Pittsburgh, Pennsylvania — a federally funded research and development center 
(FFRDC) sponsored by the DOD. The USSS-CERT program sponsors the develop- 
ment and implementation of innovative, cost-effective solutions to meet emerging 
cyber threats across the full spectrum of operations. The Federal Government, 
through its collaborative model with the CMU-SEI, and the FFRDC, realizes signifi- 
cant cost savings by leveraging participating agencies’ resources to accomplish 
shared objectives with the cost-effective benefits. The U.S. Secret Service’s partner- 
ship and presence at SEI represents the U.S. Secret Service’s long-standing commit- 
ment to developing mission critical systems; cybercrime applications; and malware 
analysis and applications that identify, assess, and mitigate threats to the Nation’s 
financial systems, critical infrastructure, and persons and facilities protected by the 
U.S. Secret Service. 

Question. All witnesses, we’ve often heard that there is a potential for a “Cyber 
Pearl Harbor,” or an unexpected cyber attack on our Nation by a foreign entity that 
has dramatic and lengthy consequences. I think it may be difficult for most Ameri- 
cans, and even members of this Committee, to visualize how exactly such an attack 
would be carried out and what it would look like. Can you help us to better under- 
stand these things? Are the appropriations this Committee has been recommending 
sufficient to help prevent such an attack? 

Answer. The Department currently sees malicious cyber activity attacks against 
critical infrastructure from foreign nations and nonstate actors. Their methods 
range from distributed denial of service attacks and social engineering to viruses 
and other malware introduced through remote access, thumb drives, supply chain 
exploitation, and leveraging trusted insiders’ access. These attacks are becoming 
more frequent and more sophisticated, putting at risk the Nation’s critical infra- 
structure, which underpins the economy, provides the public with basic day to day 
needs, and ensures the Nation’s basic security and well-being. Ultimately, a signifi- 
cant cyber incident may come in many forms and the vulnerabilities that have yet 
to be identified may be the most important. Because of this increasing risk, DHS 
is working alongside interagency, private sector, and international partners to en- 
hance resilience, harden systems, and prepare for a variety of national response sce- 
narios. 

We thank the Committee for its ongoing support for the Department’s 
cybersecurity activities. However, DHS cybersecurity programs have been impacted 
by sequestration. For example, funding has been reduced for operations and mainte- 
nance and analytical contracts supporting the National Cybersecurity Protection 
System (NCPS). While this will not affect when NCPS E 3 A will reach initial oper- 
ating capability, full operating capability will be delayed beyond fiscal year 2015 if 
sequestration continues. Funding has also been reduced for licensing and installing 
sensors for continuous monitoring at Federal agencies and some features of the Fed- 
eral dashboard will be delayed until fiscal year 2014. Finally, funding for other 
cybersecurity activities, such as the U.S. Computer Emergency Readiness Team, 
funding for the Software Engineering Institute, the GFIRST Conference, updates to 
the Cyber Security Evaluations Tool, and the number of onsite risk assessments to 
the Transportation sector have been impacted by sequestration. 
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Questions Submitted to Hon. Dr. Patrick Gallagher, Acting Deputy Sec- 
retary, Department of Commerce Director, National Institute of Stand- 
ards and Technology 

Questions Submitted by Senator Patty Murray 

Question. The electricity subsector is already subject to mandatory and enforce- 
able cybersecurity standards. As NIST works to comply with the Executive order on 
cybersecurity, how is NIST working to ensure the Framework will include these ex- 
isting standards? 

Answer. [A response was not provided by press time.] 

Question. Understanding that cyber threats are constantly evolving and that own- 
ers and operators of critical infrastructure have to make decisions just like the Fed- 
eral Government on what needs to be secured, how is NIST including risk manage- 
ment practices within the Framework activities? 

Answer. [A response was not provided by press time.] 


Questions Submitted by Senator Richard J. Durbin 

CYBER EXECUTIVE ORDER — ROLE OF THE EXECUTIVE ORDER VERSUS CYBER 

LEGISLATION 

Question. President Obama issued Executive Order 13636 in February of this 
year. What is the effect of this Executive order? Is it improving your ability to share 
information with the private sector? 

Answer. The Executive order directs the National Institute of Standards and 
Technology (NIST) to lead the development of a framework to reduce cyber risks to 
critical infrastructure. The framework is intended to be used on a voluntary basis 
throughout an entire organization — including by the most senior executives who 
oversee an organization to the officials and staff responsible for managing informa- 
tion technology-based resources. It is designed specifically for companies and other 
entities that are part of the critical infrastructure, especially owners and operators 
of critical infrastructure, to identify, assess, and manage cyber risk. However, other 
organizations — large and small and with varying business needs — will benefit by re- 
ducing risks and protecting their assets and mission-driven work by using the 
framework. 

When he signed the Executive order, President Obama also underscored the need 
for comprehensive cybersecurity legislation, since the scope of the Executive order 
is limited. What are your legislative priorities in terms of items you believe should 
be included in cyber legislation? 

We’d like to hear from all the witnesses on this issue. 

Answer. The administration’s legislative priorities for the 113th Congress build 
upon the President’s 2011 Cybersecurity Legislative Proposal and take into account 
2 years of public and congressional discourse about how best to improve the Nation’s 
cybersecurity. 

The administration is working toward legislation that: 

— Facilitates cybersecurity information sharing between the government and the 
private sector as well as among private sector companies. We believe that such 
sharing can occur in ways that protect privacy, confidentiality, and civil lib- 
erties, reinforce the appropriate roles of civilian and intelligence agencies, and 
include targeted liability protections. 

— Incentivizes the adoption of best practices and standards for critical infrastruc- 
ture by complementing the process set forth under the Executive order; 

— Gives law enforcement the tools to fight crime in the digital age while pro- 
tecting privacy, confidentiality, and civil liberties; 

— Updates Federal agency network security laws, and codifies DHS’ cybersecurity 
responsibilities; and 

— Creates a National Data Breach Reporting requirement. 

In each of these legislative areas, the right privacy, confidentiality, and civil lib- 
erties safeguards must be incorporated. The administration wants to continue the 
dialogue with the Congress and stands ready to work with members of Congress to 
incorporate our core priorities to produce cybersecurity information sharing legisla- 
tion that addresses these critical issues. 

CYBER EXECUTIVE ORDER — PROTECTING PRIVACY AND CIVIL LIBERTIES 

Question. The Executive order requires Federal agencies to develop cybersecurity 
efforts in accordance with the Fair Information Practice Principles, as well as other 
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policies, principles, and frameworks to protect privacy and civil liberties. I worked 
with a number of other Senators to ensure that the Cybersecurity Act of 2012 in- 
cluded provisions to protect privacy and civil liberties. 

What specific steps can government agencies take to ensure that privacy and civil 
liberties are protected as we enhance our Nation’s cybersecurity? 

Answer. In April 2013, NIST published the Security and Privacy Controls for Fed- 
eral Information Systems and Organizations, Special Publication (SP) 800-53, Revi- 
sion 4. Appendix J provides a structured set of privacy controls, based on best prac- 
tices that help organizations comply with applicable Federal laws, Executive orders, 
directives, instructions, regulations, policies, standards, guidance, and organization- 
specific issuances. The privacy controls are based on the Fair Information Practice 
Principles (FIPPs) embodied in the Privacy Act of 1974, section 208 of the E-Govern- 
ment Act of 2002, and Office of Management and Budget (OMB) policies. There are 
eight privacy control families, each aligning with one of the FIPPs. They provide 
steps government agencies can take to ensure that privacy protected as we enhance 
our Nation’s cybersecurity. 

However, unlike the longstanding framework for evaluating privacy impacts 
under the FIPPs, there exists no similar, corresponding framework that supports 
general evaluations of the potential broad range of impacts that might occur within 
the collection of individual rights described as “civil liberties.” Policies typically 
focus on the protection of individual rights, and civil liberties issues arise within 
government frameworks (or specific programs implementing those frameworks) 
where implementation of the framework fails to account for those rights. Con- 
sequently, in addition to the specific NIST guidance described above, the Depart- 
ment of Homeland Security has established an interagency Assessments Working 
Group, consisting of representatives of the privacy and civil liberties officials of 
agencies involved in implementing the Executive order. The purpose of this group 
is to provide a forum for assisting agencies in meeting their responsibilities under 
the Executive order, including identifying cybersecurity activities and how to apply 
both the Fair Information Practice Principles and other applicable policies, prin- 
ciples and frameworks that provide privacy and civil liberties protections in these 
activities. Due to the highly divergent nature of critical infrastructure entities (in- 
cluding State and local government, private sector, quasi-governmental) the exact 
bundle of rights which are applicable in any given workplace will be highly variable; 
we recognize this challenge. The Department of Commerce is an active participant 
in this Working Group. 

As we noted above, the administration also supports legislation that would facili- 
tate cybersecurity information sharing between the government and the private sec- 
tor as well as among private sector companies. We believe that such sharing can — 
and must — occur in ways that protect privacy, confidentiality, and civil liberties, re- 
inforce the appropriate roles of civilian and intelligence agencies, and include tar- 
geted liability protections. 


Questions Submitted by Senator Tom Udall 

ROLE OF NATIONAL LABORATORIES IN PROMOTING CYBERSECURITY 

Question. Dr. Gallagher, our National Labs — which are the crown jewels of our 
Nation’s research system — are active in efforts to promote cybersecurity. 

In my home State of New Mexico, Sandia National Laboratories is engaged in ef- 
forts to secure the national electrical grid from cyber attack. Los Alamos National 
Laboratories is a leader in quantum cryptography. 

Sandia also has partnerships with universities and the private sector. They’re 
helping computer science students become cyber professionals. 

Could you discuss what role our National Labs should have in protecting our Na- 
tion from cyber attack? 

Answer. NIST recognizes the value of Department of Energy’s National Labora- 
tories cutting-edge research in addressing national priorities including 
cybersecurity. The results from the laboratories cybersecurity research are instru- 
mental in the development of next generation standards and best practices. Cur- 
rently, we are working with Department of Energy’s Laboratories on critical 
cybersecurity challenges such as security for the advanced metering infrastructure. 

ENGAGEMENT WITH INDUSTRY GROUPS 

Question. Dr. Gallagher, I would like to ask about NIST’s work with industry 
partners. When it comes to developing guidelines and standards for cybersecurity, 
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is NIST getting the level of cooperation it needs from industry stakeholders? Are 
there areas where more engagement is needed? 

Answer. NIST employs collaborative partnerships with our customers and stake- 
holders in industry, government, academia, and consortia to leverage their technical 
and operational insights and the resources of a global community. These collabo- 
rative efforts and our private sector collaborations in particular, are constantly ex- 
panding through new initiatives, including in recent years through the National Ini- 
tiative for Cybersecurity Education (NICE), National Strategy for Trusted Identities 
in Cyberspace (NSTIC), the National Cybersecurity Center of Excellence (NCCoE), 
and in implementation of Executive Order 13636, “Improving Critical Infrastructure 
Cybersecurity.” 

FEDERAL CYBERSECURITY STANDARDS AND NEW COMPUTING TRENDS 

Question. Dr. Gallagher, last month NIST revised its Federal cybersecurity guide- 
lines, which many agencies follow. 

Could you discuss how new computing tools and trends, such as the move to 
“cloud computing” and mobile devices creates new potential cyber vulnerabilities? 

Answer. Mobile devices and cloud computing have already significantly changed 
business capabilities, allowing employees access to information resources wherever 
and whenever they need it. These technologies offer both an opportunity and a chal- 
lenge. Their unique capabilities — including their always-on, always-connected na- 
ture — can facilitate more efficient and effective business, but also create new chal- 
lenges to ensure the confidentiality, integrity and availability of information 
accessed by these devices. 

To address the security challenges and accelerate the Federal Government’s se- 
cure adoption of cloud computing, NIST is playing a leading role in developing 
standards and guidelines, in close consultation and collaboration with standards 
bodies, the private sector, Federal departments and agencies, and other stake- 
holders. NIST’s long-term goal is to provide thought leadership and guidance around 
the cloud computing paradigm to catalyze its use within industry and government. 

NIST is working collaboratively with industry to bridge the security gaps in mo- 
bility. For example, NIST has ongoing work to identify properties and capabilities 
of roots of trust needed to secure next generation mobile devices. This work exam- 
ines issues relating to boot firmware protections; integrity measurement and report- 
ing of critical firmware and software; secure storage; device authentication; and ap- 
plication and data isolation. 

What are the main takeaways from NIST’s cybersecurity guidance to Federal 
agencies? 

Answer. NIST cybersecurity guidance builds on the guiding principle of mission- 
focused, risk-based information security. NIST performs research and develops 
standards, best practices, testing and metrics in order to provide protections against 
threats to the confidentiality, integrity and availability of information and services. 
Through collaborations with industry and academia, NIST’s programs in areas such 
as risk management, cryptography, identity management, authentication, key man- 
agement, security automation, privacy, usability, biometrics, configuration baselines, 
vulnerability management, and trusted hardware are designed to give practical, af- 
fordable and innovative guidance and metrics for today’s computing platforms and 
information management. 

MOBILE PHONES AND CYBERSECURITY AWARENESS 

Question. Dr. Gallagher, this year, there will be more mobile phones than people 
on the planet. Today, our wireless devices are not just phones, but pocket com- 
puters. We use them for sensitive transactions, including mobile banking and online 
purchases. 

But GAO recently found that cyber threats are increasing for mobile devices and 
the information they store. GAO recommended that DHS and NIST work together 
to “establish a baseline measure of consumer awareness . . . related to mobile se- 
curity.” GAO also recommends the development of performance measures that use 
the baseline to assess the effectiveness of initiatives to educate the public about 
cybersecurity. 

Could you share any thoughts on how best to raise public awareness for 
cybersecurity threats to mobile devices? 

Answer. NIST is leading the National Initiative for Cybersecurity Education 
(NICE) initiative, involving more than 20 Federal departments and agencies, to en- 
sure coordination, focus, public engagement, technology transfer and sustainability. 
DHS, FCC, and FTC are among the leads for the awareness components of NICE, 
including the development of baseline and progress information as part of their on- 
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going cybersecurity awareness campaigns. Interactions through this campaign sug- 
gest public awareness and practices with regard to mobile security are limited and 
this has led to the development of a “Safety Tips for Mobile Devices” resource by 
the STOP.THINK.CONNECT campaign and a recent blog post on “Being Smart 
with your Smartphone.” 

Question. What is the proper role for government and industry to promote best 
practices for both companies and consumers? 

Answer. Government and industry must work together to promote best practices 
for companies and consumers. NIST works closely with industry on the research, 
development and outreach necessary to provide standards and guidelines, tools, 
metrics and best practices to protect our Nation’s information technology infrastruc- 
ture for business and industrial control systems. Through these collaborations, NIST 
continues to develop cybersecurity standards, security metrics, and product assur- 
ance programs to promote, measure, and validate the security attributes of informa- 
tion systems and services. As technology advances and security requirements evolve, 
NIST, with its industry partnerships, can critically evaluate existing standards, 
guidelines, and technologies to ensure that they adequately reflect the current state 
of the art. 


Questions Submitted by Senator Thad Cochran 

Question. All witnesses, we have heard about the importance of cooperation and 
clearly defined lanes responsibility across the Federal Government for our 
cybersecurity efforts. What are your respective roles in receiving and sharing threat 
information with the private sector? 

Answer. NIST works with Federal agencies and private sector companies to de- 
velop underlying standards and best practices that are used to support a wide array 
of information sharing activities. These standards and best practices are a funda- 
mental component of providing coordination between organizations, allowing for 
rapid and accurate sharing of information between government and industry, and 
industry to industry. The collaborative development approach ensures that the 
needs of all sectors are adequately addressed, leading to an information sharing eco- 
system that benefits all organizations. 

Question. All witnesses, I think we all recognize the importance of defending our 
Nation’s critical infrastructure against cyber attacks. A foreign or terrorist cyber at- 
tack on our electric grid, water systems, or financial systems could cause widespread 
damage and even have detrimental effects on our economy and consumer confidence. 
There has been much discussion about how involved the Federal Government should 
be in defending infrastructure owned by non-Federal entities. How would you define 
the threshold for what types of non-Federal infrastructure might qualify as “critical” 
for these purposes? 

Answer. Executive Order 13636 defines critical infrastructure as the systems and 
assets, whether physical or virtual, so vital to the United States that the incapacity 
or destruction of such systems and assets would have a debilitating impact on secu- 
rity, national economic security, national public health or safety, or any combination 
of those matters. NIST is working with critical infrastructure owners and operations 
and their partners to define a cybersecurity framework that reduces cyber risks to 
critical infrastructure. The Draft Cybersecurity Framework includes a set of stand- 
ards, methodologies, procedures, and processes that align policy, business, and tech- 
nological approaches to address cyber risks. 

Question. All witnesses, we’ve often heard that there is a potential for a “Cyber 
Pearl Harbor,” or an unexpected cyber attack on our Nation by a foreign entity that 
has dramatic and lengthy consequences. I think it may be difficult for most Ameri- 
cans, and even members of this Committee, to visualize how exactly such an attack 
would be carried out and what it would look like. Can you help us to better under- 
stand these things? Are the appropriations this Committee has been recommending 
sufficient to help prevent such an attack? 

Answer. NIST considers a cybersecurity threat to be any circumstance or event 
with the potential to adversely impact organizational operations (including mission, 
functions, image, or reputation), organizational assets, individuals, other organiza- 
tions, or the Nation through an information system via unauthorized access, de- 
struction, disclosure, modification of information, and/or denial of service. This in- 
cludes threats that are immediate, have significant reach across the Internet and 
rapidly propagate. Ensuring we are able to develop solutions that can scale globally, 
protect technological innovation, and keep up with the threats are of utmost impor- 
tance to NIST and the Department of Commerce as a whole. 



87 


Unlike a physical attack that has to conform to physical constraints, a cyberattack 
can have velocity, reach, and scale that does not have these limiting factors. A 
cyberattack can occur at the speed of a digital transmission, our interconnected sys- 
tems can extend the reach beyond traditional kinetic limitations and with the inter- 
sections of cyber and physical systems, the scale of impacts can go beyond disrup- 
tion or disclosure of sensitive information. A cyberattack can potentially have a 
physical impact, conducted at the speed, reach of the Internet and at the scale of 
our interconnected systems. 

NIST appreciates the Committee’s continued support and funding for the critical 
cybersecurity efforts at NIST. 


Questions Submitted to Richard A. McFeely, Executive Assistant Director, 
Criminal, Cyber, Response, and Services Branch, Federal Bureau of Inves- 
tigation 


Questions Submitted by Senator Richard J. Durbin 

CYBER EXECUTIVE ORDER — ROLE OF THE EXECUTIVE ORDER VERSUS CYBER 

LEGISLATION 

Question. President Obama issued Executive Order (EO) 13636 in February of 
this year. What is the effect of this Executive order? Is it improving your ability 
to share information with the private sector? 

Answer. Implementation of Executive Order (EO) 13636 is underway across the 
U.S. Government (USG). The Federal Bureau of Investigation (FBI) is optimistic 
that, once fully implemented, the Executive order will lead to better information 
sharing between the private sector and the government. Consistent with the USG 
policy (articulated in section 4 of EO 13636) “to increase the volume, timeliness, and 
quality of cyber threat information shared with U.S. private sector entities,” the FBI 
has prioritized the efficient, effective, and appropriate sharing of cyber threat infor- 
mation with authorized entities and is working with the Department of Homeland 
Security (DHS) to ensure a consistent, whole-of-government solution to sharing 
cyber threat information with the private sector. 

Among these changes, we have modified the means by which we share informa- 
tion with the private sector to prevent intrusion into companies’ networks and the 
exfiltration of their data and intellectual property. For example, the FBI has in- 
creased the level of detail it provides to industry partners in briefings regarding 
cyber threats. The National Cyber Investigative Joint Task Force conducts these 
briefings for private sector, government, and critical infrastructure partners on a 
near-daily basis. In partnership with DHS and the Treasury Department, we also 
provided a detailed briefing on financial services industry threats to executives of 
more than 40 banks who participated in a secure video teleconference. Detailed 
briefings have also been provided to those in the energy sector, which is a key part 
of our Nation’s infrastructure. 

In addition, the FBI is working with DHS to release Joint Indicator Bulletins 
(JIBs) to anti-virus companies, Internet service providers, and foreign partners. 
These JIBs contain information regarding Internet Protocol (IP) addresses that are 
believed to be infected with malware. Since October 2012, the FBI has released ap- 
proximately 170,000 IP addresses to more than 130 countries through DHS’s U.S. 
Computer Emergency Response Team and our Legal Attache. We have also released 
nine FBI Liaison Alert System notices to victims of intrusions and to trusted part- 
ners. These notices contain specific and technical actionable intelligence related to 
threats. Furthermore, as required by EO 13636, the Deputy Attorney General 
(DAG) has issued instructions regarding the timely production of unclassified re- 
ports of cyber threat information. The DAG instructions require the FBI to produce 
timely reports that contain sufficient technical and threat detail to facilitate 
cybersecurity defense and response activities. Furthermore, all components of the 
Department of Justice (DOJ) are required to update their systems to increase the 
volume, timeliness, and quality of cyber threat information that is shared with U.S. 
private sector entities so they can better protect and defend against cyber threats. 

Question. When he signed the Executive order, President Obama also underscored 
the need for comprehensive cybersecurity legislation, since the scope of the Execu- 
tive order is limited. What are your legislative priorities in terms of items you be- 
lieve should be included in cyber legislation? 

Answer. We would be pleased to work with DOJ, DHS, and others to identify leg- 
islative measures that may enhance cybersecurity, and we look forward to providing 
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our views of any possible legislation pursuant to DOJ’s role in assisting in the devel- 
opment of the administration’s position. 

CYBER EXECUTIVE ORDER — PROTECTING PRIVACY AND CIVIL LIBERTIES 

Question. The Executive order requires Federal agencies to develop cybersecurity 
efforts in accordance with the Fair Information Practice Principles, as well as other 
policies, principles, and frameworks to protect privacy and civil liberties. I worked 
with a number of other Senators to ensure that the Cybersecurity Act of 2012 in- 
cluded provisions to protect privacy and civil liberties. What specific steps can gov- 
ernment agencies take to ensure that privacy and civil liberties are protected as we 
enhance our Nation’s cybersecurity? 

Answer. Section 5 of EO 13636 is consistent with the work USG agencies have 
been doing to ensure that privacy and civil liberties are incorporated into our cyber 
activities and affirms the need to continue these efforts. Departments and agencies 
must also conduct regular assessments, with subsequent reporting, and include in 
these assessments an evaluation of their activities against the Fair Information 
Practice Principles and other applicable privacy and civil liberties policies, prin- 
ciples, and frameworks. 

The FBI builds privacy and civil liberties protections into all investigative efforts, 
including cybersecurity. For example, the Domestic Investigations and Operations 
Guide (DIOG), which articulates FBI policy regarding our investigative and intel- 
ligence collection activities, outlines protections to be afforded at each step of an in- 
vestigation. All FBI operational personnel are required to complete DIOG training 
and a specific privacy course, as well as yearly information security training (which 
includes a privacy component). The Privacy and Civil Liberties Unit (PCLU) in the 
FBI’s Office of the General Counsel is devoted to privacy and civil liberties issues, 
including Bureau-wide compliance with the requirements of the Privacy Act and the 
eGovernment Act. PCLU is also actively involved in assessing the privacy and civil 
liberties aspects of FBI information systems and programs through Privacy Thresh- 
old Analyses and Privacy Impact Assessments. PCLU works closely with all FBI di- 
visions, including the Cyber Division, to help ensure that appropriate protections 
are in place. 


Questions Submitted by Senator Mary L. Landrieu 

Question. General Alexander testified that the services, departments, and agen- 
cies need to work together to ensure that they have adequate test bed and range 
space to safely organize, train, and equip the cyber warriors, operators, managers, 
researchers, and agents across the Federal Government. 

a. What are the specific requirements that your departments and their various 
agencies have for test bed and range space? What specific outcome will those estab- 
lished requirements render in trained personnel and tactics? 

b. What is the current test bed and range capacity available to each of your de- 
partments? What is the wait time or backlog based on the access you currently 
have? 

c. Have you identified additional test bed or range space that you would like to 
acquire, use, or lease? 

d. What are the fiscal years 2013 and 2014 funding levels for testing and training 
space? 

e. What percentage of your required testing and training needs will you be able 
to meet in fiscal years 2013 and 2014? 

Answer to subparts a through e. As used in this inquiry, the concepts of “test-bed” 
and “range space” are not used by the FBI and we are not able to comment on them. 


Questions Submitted by Senator Tom Udall 

ROLE OF NATIONAL LABORATORIES IN PROMOTING CYBERSECURITY 

Question. Mr. McFeely, our National Labs — which are the crown jewels of our Na- 
tion’s research system — are active in efforts to promote cybersecurity. 

In my home State of New Mexico, Sandia National Laboratories is engaged in ef- 
forts to secure the national electrical grid from cyber attack. Los Alamos National 
Laboratories is a leader in quantum cryptography. 

Sandia also has partnerships with universities and the private sector. They’re 
helping computer science students become cyber professionals. 



89 


Could you discuss what role our National Labs should have in protecting our Na- 
tion from cyber attack? 

Answer. The National Laboratories, which are Department of Energy (DOE) enti- 
ties, are central to cybersecurity research and development and should continue to 
lead in these efforts. There are multiple areas in which opportunities exist for FBI- 
National Lab partnerships that leverage National Lab knowledge and resources to 
assist the FBI in meeting investigative challenges. For example, the FBI’s Oper- 
ational Technology Division and the Labs could partner to: 

— Enlist the Labs’ supercomputing resources to help solve the FBI’s most 
computationally challenging problems; 

— Study where to apply quantum cryptography research to protect against active 
cyber threats; 

— Apply the Labs’ vulnerability research to active FBI investigations; and 

— Use unsolved investigative problems to motivate National Labs’ vulnerability 
research. 

Additionally, we continue to appreciate DOE’s critical role as the sector specific 
agency for the energy sector in providing a cooperative environment to help the en- 
ergy sector defend against cyber threats. Currently, the FBI collaborates with DOE 
and DHS to ensure the timely sharing of threat information with the energy sector. 
The FBI also works with DOE to support a voluntary program in which energy sec- 
tor asset owners use government-developed tools to improve their situational aware- 
ness and better protect their own assets. Asset owners are free to share this infor- 
mation with the industry and government at their discretion. 

Question. Mr. McFeely, your written testimony describes how the FBI is trying 
to help State and local law enforcement agencies pursue Internet crimes. I am dis- 
turbed by your comment that very few cases referred to State and local officials by 
the FBI are actually being worked. 

Could you elaborate on the FBI’s pilot program you mention in your testimony 
to help State and local law enforcement agencies pursue Internet fraud and cyber 
crimes? 

Answer. Every year, there are thousands of individual and corporate victims of 
crimes facilitated through the use of computer networks or devices with targets that 
are independent of those networks or devices. These crimes are often referred to as 
Internet-facilitated crimes. Because these cases frequently involve victims spread 
across multiple jurisdictions and perpetrators living in foreign countries, local and 
State law enforcement agencies have often viewed these crimes as the province of 
Federal law enforcement agencies. Yet, while many local and State agencies have 
seen the problem as too broad for their jurisdictions, Federal agencies have not been 
able to prioritize these crimes in such a way that they receive significant investiga- 
tive attention. 

To properly address the threat of Internet-facilitated crimes against U.S. victims, 
the FBI is establishing a platform to assist in the development of these investiga- 
tions by Federal, State, local, tribal, and international law enforcement agencies. 
This platform is being developed through the Internet Crime Complaint Center 
(IC3), which has received victims’ reports of Internet crimes for the past 13 years 
and is currently receiving approximately 300,000 complaints annually. The FBI will 
leverage intelligence that has been consolidated at IC3 and package it in a way that 
facilitates investigations by appropriate law enforcement agencies, with assistance 
provided by the FBI’s local Cyber Task Force. 

In addition to this broad program, the FBI is seeking ways to work in cost-effi- 
cient and effective ways with State and local governments on cybersecurity matters. 
For example, we have begun a pilot project with the Utah Department of Public 
Safety to disseminate Internet fraud information to law enforcement authorities 
throughout the State. We will assess the results of this Utah pilot to determine 
whether it should be expanded to other jurisdictions. 


Questions Submitted by Senator Thad Cochran 

Question. All witnesses, we have heard about the importance of cooperation and 
clearly defined lanes responsibility across the Federal Government for our 
cybersecurity efforts. What are your respective roles in receiving and sharing threat 
information with the private sector? 

Answer. The FBI, which is an intelligence-driven and threat-focused national se- 
curity organization with both intelligence and law enforcement responsibilities, is 
charged with investigating, attributing, and disrupting cyber crimes. The FBI may 
receive information regarding a cyber threat or incident from a victim or third 
party, including those in the private sector. We are working toward making Guard- 
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ian, which is our terrorist threat tracking and collaboration system, available to 
trusted industry partners to report cyber intrusions in real time. Known as 
iGuardian, this system will allow the FBI to more effectively understand and iden- 
tify cyber threats, collaborate with our government partners through the sharing of 
information regarding cyber intrusions, and track pending investigations and oper- 
ations. Each incident reported through this system will immediately be routed to 
CyWatch, the FBI’s 24/7 cyber operations center, where it will be vetted and as- 
signed to an FBI Cyber Task Force investigator. 

In the course of the FBI’s investigative process, we share information with USG 
partners in support of their roles in the incident response process. The information 
we share is used to help us and our Intelligence Community partners understand 
the actions, goals, methods, and capabilities of those posing threats, and to antici- 
pate and prevent future attacks against our critical infrastructure and government 
systems. The FBI also notifies any additional actual or potential victims or targets 
revealed through investigation and, as part of the USG team, provides the informa- 
tion they need to protect their systems. 

The FBI completes these activities in a manner that ensures protection of the dig- 
ital crime scene and actions are taken consistent with preserving evidence for use 
in a later criminal proceeding, if it is determined that such a proceeding is war- 
ranted. 

Question. All witnesses, I think we all recognize the importance of defending our 
Nation’s critical infrastructure against cyber attacks. A foreign or terrorist cyber at- 
tack on our electric grid, water systems, or financial systems could cause widespread 
damage and even have detrimental effects on our economy and consumer confidence. 
There has been much discussion about how involved the Federal Government should 
be in defending infrastructure owned by non-Federal entities. How would you define 
the threshold for what types of non-Federal infrastructure might qualify as “critical” 
for these purposes? 

Answer. Presidential Policy Directive 21, “Critical Infrastructure Security and Re- 
silience” (2/12/13) (PPD-21) defines the term “critical infrastructure” as follows: 

The term “critical infrastructure” has the meaning provided in section 1016(e) of 
the USA Patriot Act of 2001 (42 U.S.C. 5195c(e)), namely systems and assets, 
whether physical or virtual, so vital to the United States that the incapacity or de- 
struction of such systems and assets would have a debilitating impact on security, 
national economic security, national public health or safety, or any combination of 
those matters. 

PPD-21 identifies 16 critical infrastructure sectors. Based on the cyber threat to 
each of these sectors, the potential impact of a cyber attack on these sectors, and 
the extent to which other Federal agencies are responsible for their protection, the 
FBI has organized its efforts to address the threats to these 16 critical infrastruc- 
ture sectors in the following order of priority: 

— Financial Services, Chemical, Communications, Defense Industrial Base, En- 
ergy, Healthcare and Public Health, Information Technology, Nuclear, and 
Transportation; 

— Food and Agriculture, Critical Manufacturing, Dams, and Water; 

— Commercial Facilities, Emergency Services, and Government Facilities. 

Question. All witnesses, we’ve often heard that there is a potential for a “Cyber 
Pearl Harbor,” or an unexpected cyber attack on our Nation by a foreign entity that 
has dramatic and lengthy consequences. I think it may be difficult for most Ameri- 
cans, and even members of this Committee, to visualize how exactly such an attack 
would be carried out and what it would look like. Can you help us to better under- 
stand these things? Are the appropriations this Committee has been recommending 
sufficient to help prevent such an attack? 

Answer. As the question recognizes, the events of Pearl Harbor represented an un- 
expected, surprise attack on our Nation by a foreign entity with devastating con- 
sequences. Under this analogy, in a “Cyber Pearl Harbor,” the United States might 
one day face, without warning, the wide-scale disruption of a critical service that 
would result in damages, both economic and physical, to include the loss of life. 
Along with our law enforcement and Intelligence Community partners, the FBI 
works every day to prevent and address the threat of an attack of this scale. 

Cyber-attacks are continually increasing in both frequency and sophistication. The 
U.S. economy is continually threatened by cyber activities that are difficult to detect 
and that deprive us of the full value of our intellectual property, threaten our eco- 
nomic prosperity, and erode our military advantages. Since 2008, appropriated 
funds have provided more than 500 new FBI support, intelligence, and special agent 
personnel to address cyber threats. Although these and other critical resources have 
helped us counter increasingly aggressive cyber threats, as the sophistication of ma- 
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licious software increases and the demand that critical systems be globally available 
grows, these systems become ever more vulnerable to attack. 

CONCLUSION OF HEARING 

Chairwoman Mikulski. As previously announced and as part of 
our practice on security issues, we will now move to a closed brief- 
ing. Before we do, I would like to make some general closing com- 
ments. 

First of all, I really do want to thank the witnesses for partici- 
pating. The hearing has not been quite the way we originally 
thought, but it was a good hearing. People do have a right to know. 
People have a right to say their voices. That is why we responded. 

But I think the big national debate that started after 9/11 is the 
inherent tension between security and privacy. It is time now for 
a new, fresh national debate. It is beginning in the usual com- 
mittee structure. 

The second thing is that many of us are concerned about what 
is the access to people and businesses’ information. Now, there are 
those who, because of the Snowden revelation, wonder about Gov- 
ernment’s access to that information, whether it is through the 
NSA, whether it is through the IRS, or whatever. People are asking 
what is the Government doing. 

The purpose of this hearing, however, is who is raiding the infor- 
mation that we have. So maybe people are concerned about what 
is NSA doing. But I am concerned about the people every single 
day that are trying to get access to somebody’s Social Security 
number, their Medicare number, their checking account number, 
their smart phone information so they can either steal from them 
or lead to other access to their bank account, to their other kinds 
of assets. So we are worried about that. 

I am concerned every day about the number of people out there, 
with the great intellectual entrepreneurship of our country, that 
are coming up with new ideas and new products to create the new 
jobs for the 21st century. And they are being stolen in the greatest 
cyber espionage heist. So why find a cure for cancer if you can try 
to steal it from FDA or the Patent Office? I am worried about that. 

And then I worry about things like the grid and I worry about 
access to those who are trying to raid the grid. Tonight there is a 
gathering storm. We fear a derecho, another derecho maybe hitting 
the Maryland- Washington area. We know when the grid is shut 
down, it is a terrible consequence in terms of our society. I do not 
want ever to have a grid shut down here in the Greater Capital 
Region or anywhere in the United States. 

So the purpose of this hearing was to go after those who have 
predatory intent — predatory, premeditated intent — against either 
an individual, our business, or our critical infrastructure. 

There are those who are also concerned about is Government 
now passing beyond a red line on civil liberties. I think we ought 
to have that debate. I think we ought to have that discussion. It 
could be the subject of another hearing here. There will be the 
Feinstein hearing. There will be the Judiciary Committee hearing. 
But you know what? This is America. This is America and people 
have a right to know. They have a right to have their public offi- 
cials explain this. 
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So I think it has been a great hearing. 

So, therefore, though, this committee will now stand in recess 
after the closed briefing until the morning of Thursday, June 20, 
where we will vote on our spending allocations and also take up 
the very important legislation of Veterans Affairs and our agricul- 
tural appropriations. This committee now stands in recess. 

[Whereupon, at 4:39 p.m., Wednesday, June 12, the hearing was 
concluded, and the committee was recessed, to reconvene subject to 
the call of the Chair.] 
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